diff --git a/.crd2pulumi-checksum b/.crd2pulumi-checksum
new file mode 100644
index 0000000..5b36035
--- /dev/null
+++ b/.crd2pulumi-checksum
@@ -0,0 +1 @@
+2eebf9968d1e434ea85182c1a229254ca0aefa30b6f433dd2ccfeca4751159ae
\ No newline at end of file
diff --git a/generated/crds/README.md b/generated/crds/README.md
new file mode 100644
index 0000000..9d6fc76
--- /dev/null
+++ b/generated/crds/README.md
@@ -0,0 +1,14 @@
+The Kubernetes provider package offers support for all Kubernetes resources and their properties.
+Resources are exposed as types from modules based on Kubernetes API groups such as 'apps', 'core',
+'rbac', and 'storage', among many others. Additionally, support for deploying Helm charts ('helm')
+and YAML files ('yaml') is available in this package. Using this package allows you to
+programmatically declare instances of any Kubernetes resources and any supported resource version
+using infrastructure as code, which Pulumi then uses to drive the Kubernetes API.
+
+If this is your first time using this package, these two resources may be helpful:
+
+* [Kubernetes Getting Started Guide](https://www.pulumi.com/docs/quickstart/kubernetes/): Get up and running quickly.
+* [Kubernetes Pulumi Setup Documentation](https://www.pulumi.com/docs/quickstart/kubernetes/configure/): How to configure Pulumi
+    for use with your Kubernetes cluster.
+
+Use the navigation below to see detailed documentation for each of the supported Kubernetes resources.
diff --git a/generated/crds/acme/index.d.ts b/generated/crds/acme/index.d.ts
new file mode 100644
index 0000000..1dfd148
--- /dev/null
+++ b/generated/crds/acme/index.d.ts
@@ -0,0 +1,2 @@
+import * as v1 from "./v1";
+export { v1, };
diff --git a/generated/crds/acme/index.js b/generated/crds/acme/index.js
new file mode 100644
index 0000000..087ed51
--- /dev/null
+++ b/generated/crds/acme/index.js
@@ -0,0 +1,8 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.v1 = void 0;
+// Export sub-modules:
+const v1 = require("./v1");
+exports.v1 = v1;
diff --git a/generated/crds/acme/index.ts b/generated/crds/acme/index.ts
new file mode 100644
index 0000000..af5c84d
--- /dev/null
+++ b/generated/crds/acme/index.ts
@@ -0,0 +1,11 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as utilities from "../utilities";
+
+// Export sub-modules:
+import * as v1 from "./v1";
+
+export {
+    v1,
+};
diff --git a/generated/crds/acme/v1/challenge.d.ts b/generated/crds/acme/v1/challenge.d.ts
new file mode 100644
index 0000000..03a1c8b
--- /dev/null
+++ b/generated/crds/acme/v1/challenge.d.ts
@@ -0,0 +1,64 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Challenge is a type to represent a Challenge request with an ACME server
+ */
+export declare class Challenge extends pulumi.CustomResource {
+    /**
+     * Get an existing Challenge resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Challenge;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:acme.cert-manager.io/v1:Challenge";
+    /**
+     * Returns true if the given object is an instance of Challenge.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Challenge;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Challenge">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.acme.v1.ChallengeSpec>;
+    readonly status: pulumi.Output<outputs.acme.v1.ChallengeStatus>;
+    /**
+     * Create a Challenge resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ChallengeArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a Challenge resource.
+ */
+export interface ChallengeArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Challenge">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.acme.v1.ChallengeSpec>;
+}
diff --git a/generated/crds/acme/v1/challenge.js b/generated/crds/acme/v1/challenge.js
new file mode 100644
index 0000000..fcf47cf
--- /dev/null
+++ b/generated/crds/acme/v1/challenge.js
@@ -0,0 +1,63 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Challenge = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Challenge is a type to represent a Challenge request with an ACME server
+ */
+class Challenge extends pulumi.CustomResource {
+    /**
+     * Get an existing Challenge resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new Challenge(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of Challenge.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Challenge.__pulumiType;
+    }
+    /**
+     * Create a Challenge resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["kind"] = "Challenge";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Challenge.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.Challenge = Challenge;
+/** @internal */
+Challenge.__pulumiType = 'kubernetes:acme.cert-manager.io/v1:Challenge';
diff --git a/generated/crds/acme/v1/challenge.ts b/generated/crds/acme/v1/challenge.ts
new file mode 100644
index 0000000..d3ddfe0
--- /dev/null
+++ b/generated/crds/acme/v1/challenge.ts
@@ -0,0 +1,99 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Challenge is a type to represent a Challenge request with an ACME server
+ */
+export class Challenge extends pulumi.CustomResource {
+    /**
+     * Get an existing Challenge resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Challenge {
+        return new Challenge(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:acme.cert-manager.io/v1:Challenge';
+
+    /**
+     * Returns true if the given object is an instance of Challenge.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Challenge {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Challenge.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Challenge">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.acme.v1.ChallengeSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.acme.v1.ChallengeStatus>;
+
+    /**
+     * Create a Challenge resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ChallengeArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["kind"] = "Challenge";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Challenge.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a Challenge resource.
+ */
+export interface ChallengeArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Challenge">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.acme.v1.ChallengeSpec>;
+}
diff --git a/generated/crds/acme/v1/challengeList.d.ts b/generated/crds/acme/v1/challengeList.d.ts
new file mode 100644
index 0000000..82bbebd
--- /dev/null
+++ b/generated/crds/acme/v1/challengeList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * ChallengeList is a list of Challenge
+ */
+export declare class ChallengeList extends pulumi.CustomResource {
+    /**
+     * Get an existing ChallengeList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ChallengeList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:acme.cert-manager.io/v1:ChallengeList";
+    /**
+     * Returns true if the given object is an instance of ChallengeList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is ChallengeList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * List of challenges. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.acme.v1.Challenge[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"ChallengeList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a ChallengeList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ChallengeListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a ChallengeList resource.
+ */
+export interface ChallengeListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * List of challenges. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.acme.v1.Challenge>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ChallengeList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/acme/v1/challengeList.js b/generated/crds/acme/v1/challengeList.js
new file mode 100644
index 0000000..0338680
--- /dev/null
+++ b/generated/crds/acme/v1/challengeList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChallengeList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * ChallengeList is a list of Challenge
+ */
+class ChallengeList extends pulumi.CustomResource {
+    /**
+     * Get an existing ChallengeList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new ChallengeList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of ChallengeList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ChallengeList.__pulumiType;
+    }
+    /**
+     * Create a ChallengeList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "ChallengeList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ChallengeList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.ChallengeList = ChallengeList;
+/** @internal */
+ChallengeList.__pulumiType = 'kubernetes:acme.cert-manager.io/v1:ChallengeList';
diff --git a/generated/crds/acme/v1/challengeList.ts b/generated/crds/acme/v1/challengeList.ts
new file mode 100644
index 0000000..49f7f16
--- /dev/null
+++ b/generated/crds/acme/v1/challengeList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * ChallengeList is a list of Challenge
+ */
+export class ChallengeList extends pulumi.CustomResource {
+    /**
+     * Get an existing ChallengeList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ChallengeList {
+        return new ChallengeList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:acme.cert-manager.io/v1:ChallengeList';
+
+    /**
+     * Returns true if the given object is an instance of ChallengeList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ChallengeList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ChallengeList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * List of challenges. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.acme.v1.Challenge[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"ChallengeList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a ChallengeList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ChallengeListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "ChallengeList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ChallengeList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a ChallengeList resource.
+ */
+export interface ChallengeListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * List of challenges. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.acme.v1.Challenge>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ChallengeList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/acme/v1/challengePatch.d.ts b/generated/crds/acme/v1/challengePatch.d.ts
new file mode 100644
index 0000000..9e3d468
--- /dev/null
+++ b/generated/crds/acme/v1/challengePatch.d.ts
@@ -0,0 +1,70 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Challenge is a type to represent a Challenge request with an ACME server
+ */
+export declare class ChallengePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ChallengePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ChallengePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:acme.cert-manager.io/v1:ChallengePatch";
+    /**
+     * Returns true if the given object is an instance of ChallengePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is ChallengePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Challenge">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.acme.v1.ChallengeSpecPatch>;
+    readonly status: pulumi.Output<outputs.acme.v1.ChallengeStatusPatch>;
+    /**
+     * Create a ChallengePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ChallengePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a ChallengePatch resource.
+ */
+export interface ChallengePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Challenge">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecPatch>;
+}
diff --git a/generated/crds/acme/v1/challengePatch.js b/generated/crds/acme/v1/challengePatch.js
new file mode 100644
index 0000000..ff66ada
--- /dev/null
+++ b/generated/crds/acme/v1/challengePatch.js
@@ -0,0 +1,69 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChallengePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Challenge is a type to represent a Challenge request with an ACME server
+ */
+class ChallengePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ChallengePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new ChallengePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of ChallengePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ChallengePatch.__pulumiType;
+    }
+    /**
+     * Create a ChallengePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["kind"] = "Challenge";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ChallengePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.ChallengePatch = ChallengePatch;
+/** @internal */
+ChallengePatch.__pulumiType = 'kubernetes:acme.cert-manager.io/v1:ChallengePatch';
diff --git a/generated/crds/acme/v1/challengePatch.ts b/generated/crds/acme/v1/challengePatch.ts
new file mode 100644
index 0000000..adc5f4c
--- /dev/null
+++ b/generated/crds/acme/v1/challengePatch.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Challenge is a type to represent a Challenge request with an ACME server
+ */
+export class ChallengePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ChallengePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ChallengePatch {
+        return new ChallengePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:acme.cert-manager.io/v1:ChallengePatch';
+
+    /**
+     * Returns true if the given object is an instance of ChallengePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ChallengePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ChallengePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Challenge">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.acme.v1.ChallengeSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.acme.v1.ChallengeStatusPatch>;
+
+    /**
+     * Create a ChallengePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ChallengePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["kind"] = "Challenge";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ChallengePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a ChallengePatch resource.
+ */
+export interface ChallengePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Challenge">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecPatch>;
+}
diff --git a/generated/crds/acme/v1/index.d.ts b/generated/crds/acme/v1/index.d.ts
new file mode 100644
index 0000000..20f78f4
--- /dev/null
+++ b/generated/crds/acme/v1/index.d.ts
@@ -0,0 +1,18 @@
+export { ChallengeArgs } from "./challenge";
+export type Challenge = import("./challenge").Challenge;
+export declare const Challenge: typeof import("./challenge").Challenge;
+export { ChallengeListArgs } from "./challengeList";
+export type ChallengeList = import("./challengeList").ChallengeList;
+export declare const ChallengeList: typeof import("./challengeList").ChallengeList;
+export { ChallengePatchArgs } from "./challengePatch";
+export type ChallengePatch = import("./challengePatch").ChallengePatch;
+export declare const ChallengePatch: typeof import("./challengePatch").ChallengePatch;
+export { OrderArgs } from "./order";
+export type Order = import("./order").Order;
+export declare const Order: typeof import("./order").Order;
+export { OrderListArgs } from "./orderList";
+export type OrderList = import("./orderList").OrderList;
+export declare const OrderList: typeof import("./orderList").OrderList;
+export { OrderPatchArgs } from "./orderPatch";
+export type OrderPatch = import("./orderPatch").OrderPatch;
+export declare const OrderPatch: typeof import("./orderPatch").OrderPatch;
diff --git a/generated/crds/acme/v1/index.js b/generated/crds/acme/v1/index.js
new file mode 100644
index 0000000..c88ddd3
--- /dev/null
+++ b/generated/crds/acme/v1/index.js
@@ -0,0 +1,41 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrderPatch = exports.OrderList = exports.Order = exports.ChallengePatch = exports.ChallengeList = exports.Challenge = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+exports.Challenge = null;
+utilities.lazyLoad(exports, ["Challenge"], () => require("./challenge"));
+exports.ChallengeList = null;
+utilities.lazyLoad(exports, ["ChallengeList"], () => require("./challengeList"));
+exports.ChallengePatch = null;
+utilities.lazyLoad(exports, ["ChallengePatch"], () => require("./challengePatch"));
+exports.Order = null;
+utilities.lazyLoad(exports, ["Order"], () => require("./order"));
+exports.OrderList = null;
+utilities.lazyLoad(exports, ["OrderList"], () => require("./orderList"));
+exports.OrderPatch = null;
+utilities.lazyLoad(exports, ["OrderPatch"], () => require("./orderPatch"));
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name, type, urn) => {
+        switch (type) {
+            case "kubernetes:acme.cert-manager.io/v1:Challenge":
+                return new exports.Challenge(name, undefined, { urn });
+            case "kubernetes:acme.cert-manager.io/v1:ChallengeList":
+                return new exports.ChallengeList(name, undefined, { urn });
+            case "kubernetes:acme.cert-manager.io/v1:ChallengePatch":
+                return new exports.ChallengePatch(name, undefined, { urn });
+            case "kubernetes:acme.cert-manager.io/v1:Order":
+                return new exports.Order(name, undefined, { urn });
+            case "kubernetes:acme.cert-manager.io/v1:OrderList":
+                return new exports.OrderList(name, undefined, { urn });
+            case "kubernetes:acme.cert-manager.io/v1:OrderPatch":
+                return new exports.OrderPatch(name, undefined, { urn });
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "acme.cert-manager.io/v1", _module);
diff --git a/generated/crds/acme/v1/index.ts b/generated/crds/acme/v1/index.ts
new file mode 100644
index 0000000..9c5de31
--- /dev/null
+++ b/generated/crds/acme/v1/index.ts
@@ -0,0 +1,60 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../../utilities";
+
+// Export members:
+export { ChallengeArgs } from "./challenge";
+export type Challenge = import("./challenge").Challenge;
+export const Challenge: typeof import("./challenge").Challenge = null as any;
+utilities.lazyLoad(exports, ["Challenge"], () => require("./challenge"));
+
+export { ChallengeListArgs } from "./challengeList";
+export type ChallengeList = import("./challengeList").ChallengeList;
+export const ChallengeList: typeof import("./challengeList").ChallengeList = null as any;
+utilities.lazyLoad(exports, ["ChallengeList"], () => require("./challengeList"));
+
+export { ChallengePatchArgs } from "./challengePatch";
+export type ChallengePatch = import("./challengePatch").ChallengePatch;
+export const ChallengePatch: typeof import("./challengePatch").ChallengePatch = null as any;
+utilities.lazyLoad(exports, ["ChallengePatch"], () => require("./challengePatch"));
+
+export { OrderArgs } from "./order";
+export type Order = import("./order").Order;
+export const Order: typeof import("./order").Order = null as any;
+utilities.lazyLoad(exports, ["Order"], () => require("./order"));
+
+export { OrderListArgs } from "./orderList";
+export type OrderList = import("./orderList").OrderList;
+export const OrderList: typeof import("./orderList").OrderList = null as any;
+utilities.lazyLoad(exports, ["OrderList"], () => require("./orderList"));
+
+export { OrderPatchArgs } from "./orderPatch";
+export type OrderPatch = import("./orderPatch").OrderPatch;
+export const OrderPatch: typeof import("./orderPatch").OrderPatch = null as any;
+utilities.lazyLoad(exports, ["OrderPatch"], () => require("./orderPatch"));
+
+
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name: string, type: string, urn: string): pulumi.Resource => {
+        switch (type) {
+            case "kubernetes:acme.cert-manager.io/v1:Challenge":
+                return new Challenge(name, <any>undefined, { urn })
+            case "kubernetes:acme.cert-manager.io/v1:ChallengeList":
+                return new ChallengeList(name, <any>undefined, { urn })
+            case "kubernetes:acme.cert-manager.io/v1:ChallengePatch":
+                return new ChallengePatch(name, <any>undefined, { urn })
+            case "kubernetes:acme.cert-manager.io/v1:Order":
+                return new Order(name, <any>undefined, { urn })
+            case "kubernetes:acme.cert-manager.io/v1:OrderList":
+                return new OrderList(name, <any>undefined, { urn })
+            case "kubernetes:acme.cert-manager.io/v1:OrderPatch":
+                return new OrderPatch(name, <any>undefined, { urn })
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "acme.cert-manager.io/v1", _module)
diff --git a/generated/crds/acme/v1/order.d.ts b/generated/crds/acme/v1/order.d.ts
new file mode 100644
index 0000000..b927b1f
--- /dev/null
+++ b/generated/crds/acme/v1/order.d.ts
@@ -0,0 +1,64 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Order is a type to represent an Order with an ACME server
+ */
+export declare class Order extends pulumi.CustomResource {
+    /**
+     * Get an existing Order resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Order;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:acme.cert-manager.io/v1:Order";
+    /**
+     * Returns true if the given object is an instance of Order.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Order;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Order">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.acme.v1.OrderSpec>;
+    readonly status: pulumi.Output<outputs.acme.v1.OrderStatus>;
+    /**
+     * Create a Order resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: OrderArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a Order resource.
+ */
+export interface OrderArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Order">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.acme.v1.OrderSpec>;
+}
diff --git a/generated/crds/acme/v1/order.js b/generated/crds/acme/v1/order.js
new file mode 100644
index 0000000..3c087aa
--- /dev/null
+++ b/generated/crds/acme/v1/order.js
@@ -0,0 +1,63 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Order = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Order is a type to represent an Order with an ACME server
+ */
+class Order extends pulumi.CustomResource {
+    /**
+     * Get an existing Order resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new Order(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of Order.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Order.__pulumiType;
+    }
+    /**
+     * Create a Order resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["kind"] = "Order";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Order.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.Order = Order;
+/** @internal */
+Order.__pulumiType = 'kubernetes:acme.cert-manager.io/v1:Order';
diff --git a/generated/crds/acme/v1/order.ts b/generated/crds/acme/v1/order.ts
new file mode 100644
index 0000000..a455e1f
--- /dev/null
+++ b/generated/crds/acme/v1/order.ts
@@ -0,0 +1,99 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Order is a type to represent an Order with an ACME server
+ */
+export class Order extends pulumi.CustomResource {
+    /**
+     * Get an existing Order resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Order {
+        return new Order(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:acme.cert-manager.io/v1:Order';
+
+    /**
+     * Returns true if the given object is an instance of Order.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Order {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Order.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Order">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.acme.v1.OrderSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.acme.v1.OrderStatus>;
+
+    /**
+     * Create a Order resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: OrderArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["kind"] = "Order";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Order.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a Order resource.
+ */
+export interface OrderArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Order">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.acme.v1.OrderSpec>;
+}
diff --git a/generated/crds/acme/v1/orderList.d.ts b/generated/crds/acme/v1/orderList.d.ts
new file mode 100644
index 0000000..5e41b92
--- /dev/null
+++ b/generated/crds/acme/v1/orderList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * OrderList is a list of Order
+ */
+export declare class OrderList extends pulumi.CustomResource {
+    /**
+     * Get an existing OrderList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): OrderList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:acme.cert-manager.io/v1:OrderList";
+    /**
+     * Returns true if the given object is an instance of OrderList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is OrderList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * List of orders. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.acme.v1.Order[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"OrderList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a OrderList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: OrderListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a OrderList resource.
+ */
+export interface OrderListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * List of orders. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.acme.v1.Order>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"OrderList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/acme/v1/orderList.js b/generated/crds/acme/v1/orderList.js
new file mode 100644
index 0000000..84a9ab4
--- /dev/null
+++ b/generated/crds/acme/v1/orderList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrderList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * OrderList is a list of Order
+ */
+class OrderList extends pulumi.CustomResource {
+    /**
+     * Get an existing OrderList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new OrderList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of OrderList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === OrderList.__pulumiType;
+    }
+    /**
+     * Create a OrderList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "OrderList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(OrderList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.OrderList = OrderList;
+/** @internal */
+OrderList.__pulumiType = 'kubernetes:acme.cert-manager.io/v1:OrderList';
diff --git a/generated/crds/acme/v1/orderList.ts b/generated/crds/acme/v1/orderList.ts
new file mode 100644
index 0000000..8b75144
--- /dev/null
+++ b/generated/crds/acme/v1/orderList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * OrderList is a list of Order
+ */
+export class OrderList extends pulumi.CustomResource {
+    /**
+     * Get an existing OrderList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): OrderList {
+        return new OrderList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:acme.cert-manager.io/v1:OrderList';
+
+    /**
+     * Returns true if the given object is an instance of OrderList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is OrderList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === OrderList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * List of orders. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.acme.v1.Order[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"OrderList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a OrderList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: OrderListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "OrderList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(OrderList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a OrderList resource.
+ */
+export interface OrderListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * List of orders. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.acme.v1.Order>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"OrderList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/acme/v1/orderPatch.d.ts b/generated/crds/acme/v1/orderPatch.d.ts
new file mode 100644
index 0000000..3765a7d
--- /dev/null
+++ b/generated/crds/acme/v1/orderPatch.d.ts
@@ -0,0 +1,70 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Order is a type to represent an Order with an ACME server
+ */
+export declare class OrderPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing OrderPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): OrderPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:acme.cert-manager.io/v1:OrderPatch";
+    /**
+     * Returns true if the given object is an instance of OrderPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is OrderPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Order">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.acme.v1.OrderSpecPatch>;
+    readonly status: pulumi.Output<outputs.acme.v1.OrderStatusPatch>;
+    /**
+     * Create a OrderPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: OrderPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a OrderPatch resource.
+ */
+export interface OrderPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Order">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.acme.v1.OrderSpecPatch>;
+}
diff --git a/generated/crds/acme/v1/orderPatch.js b/generated/crds/acme/v1/orderPatch.js
new file mode 100644
index 0000000..0cb3240
--- /dev/null
+++ b/generated/crds/acme/v1/orderPatch.js
@@ -0,0 +1,69 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrderPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Order is a type to represent an Order with an ACME server
+ */
+class OrderPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing OrderPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new OrderPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of OrderPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === OrderPatch.__pulumiType;
+    }
+    /**
+     * Create a OrderPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["kind"] = "Order";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(OrderPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.OrderPatch = OrderPatch;
+/** @internal */
+OrderPatch.__pulumiType = 'kubernetes:acme.cert-manager.io/v1:OrderPatch';
diff --git a/generated/crds/acme/v1/orderPatch.ts b/generated/crds/acme/v1/orderPatch.ts
new file mode 100644
index 0000000..a43d710
--- /dev/null
+++ b/generated/crds/acme/v1/orderPatch.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Order is a type to represent an Order with an ACME server
+ */
+export class OrderPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing OrderPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): OrderPatch {
+        return new OrderPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:acme.cert-manager.io/v1:OrderPatch';
+
+    /**
+     * Returns true if the given object is an instance of OrderPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is OrderPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === OrderPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Order">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.acme.v1.OrderSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.acme.v1.OrderStatusPatch>;
+
+    /**
+     * Create a OrderPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: OrderPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "acme.cert-manager.io/v1";
+            resourceInputs["kind"] = "Order";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(OrderPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a OrderPatch resource.
+ */
+export interface OrderPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Order">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.acme.v1.OrderSpecPatch>;
+}
diff --git a/generated/crds/cert_manager/index.d.ts b/generated/crds/cert_manager/index.d.ts
new file mode 100644
index 0000000..1dfd148
--- /dev/null
+++ b/generated/crds/cert_manager/index.d.ts
@@ -0,0 +1,2 @@
+import * as v1 from "./v1";
+export { v1, };
diff --git a/generated/crds/cert_manager/index.js b/generated/crds/cert_manager/index.js
new file mode 100644
index 0000000..087ed51
--- /dev/null
+++ b/generated/crds/cert_manager/index.js
@@ -0,0 +1,8 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.v1 = void 0;
+// Export sub-modules:
+const v1 = require("./v1");
+exports.v1 = v1;
diff --git a/generated/crds/cert_manager/index.ts b/generated/crds/cert_manager/index.ts
new file mode 100644
index 0000000..af5c84d
--- /dev/null
+++ b/generated/crds/cert_manager/index.ts
@@ -0,0 +1,11 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as utilities from "../utilities";
+
+// Export sub-modules:
+import * as v1 from "./v1";
+
+export {
+    v1,
+};
diff --git a/generated/crds/cert_manager/v1/certificate.d.ts b/generated/crds/cert_manager/v1/certificate.d.ts
new file mode 100644
index 0000000..364e562
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificate.d.ts
@@ -0,0 +1,67 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * A Certificate resource should be created to ensure an up to date and signed
+ * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+ *
+ * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+ */
+export declare class Certificate extends pulumi.CustomResource {
+    /**
+     * Get an existing Certificate resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Certificate;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:Certificate";
+    /**
+     * Returns true if the given object is an instance of Certificate.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Certificate;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Certificate">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.cert_manager.v1.CertificateSpec>;
+    readonly status: pulumi.Output<outputs.cert_manager.v1.CertificateStatus>;
+    /**
+     * Create a Certificate resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a Certificate resource.
+ */
+export interface CertificateArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Certificate">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.CertificateSpec>;
+}
diff --git a/generated/crds/cert_manager/v1/certificate.js b/generated/crds/cert_manager/v1/certificate.js
new file mode 100644
index 0000000..a946a9a
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificate.js
@@ -0,0 +1,66 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Certificate = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * A Certificate resource should be created to ensure an up to date and signed
+ * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+ *
+ * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+ */
+class Certificate extends pulumi.CustomResource {
+    /**
+     * Get an existing Certificate resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new Certificate(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of Certificate.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Certificate.__pulumiType;
+    }
+    /**
+     * Create a Certificate resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "Certificate";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Certificate.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.Certificate = Certificate;
+/** @internal */
+Certificate.__pulumiType = 'kubernetes:cert-manager.io/v1:Certificate';
diff --git a/generated/crds/cert_manager/v1/certificate.ts b/generated/crds/cert_manager/v1/certificate.ts
new file mode 100644
index 0000000..d93292b
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificate.ts
@@ -0,0 +1,102 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * A Certificate resource should be created to ensure an up to date and signed
+ * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+ *
+ * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+ */
+export class Certificate extends pulumi.CustomResource {
+    /**
+     * Get an existing Certificate resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Certificate {
+        return new Certificate(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:Certificate';
+
+    /**
+     * Returns true if the given object is an instance of Certificate.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Certificate {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Certificate.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Certificate">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.cert_manager.v1.CertificateSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.cert_manager.v1.CertificateStatus>;
+
+    /**
+     * Create a Certificate resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "Certificate";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Certificate.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a Certificate resource.
+ */
+export interface CertificateArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Certificate">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.CertificateSpec>;
+}
diff --git a/generated/crds/cert_manager/v1/certificateList.d.ts b/generated/crds/cert_manager/v1/certificateList.d.ts
new file mode 100644
index 0000000..b21402d
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * CertificateList is a list of Certificate
+ */
+export declare class CertificateList extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificateList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:CertificateList";
+    /**
+     * Returns true if the given object is an instance of CertificateList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CertificateList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * List of certificates. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.cert_manager.v1.Certificate[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"CertificateList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a CertificateList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CertificateList resource.
+ */
+export interface CertificateListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * List of certificates. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.Certificate>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"CertificateList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/cert_manager/v1/certificateList.js b/generated/crds/cert_manager/v1/certificateList.js
new file mode 100644
index 0000000..329a53d
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * CertificateList is a list of Certificate
+ */
+class CertificateList extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new CertificateList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of CertificateList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificateList.__pulumiType;
+    }
+    /**
+     * Create a CertificateList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "CertificateList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificateList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.CertificateList = CertificateList;
+/** @internal */
+CertificateList.__pulumiType = 'kubernetes:cert-manager.io/v1:CertificateList';
diff --git a/generated/crds/cert_manager/v1/certificateList.ts b/generated/crds/cert_manager/v1/certificateList.ts
new file mode 100644
index 0000000..e5a06db
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * CertificateList is a list of Certificate
+ */
+export class CertificateList extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificateList {
+        return new CertificateList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:CertificateList';
+
+    /**
+     * Returns true if the given object is an instance of CertificateList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is CertificateList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificateList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * List of certificates. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.cert_manager.v1.Certificate[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"CertificateList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a CertificateList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "CertificateList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificateList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a CertificateList resource.
+ */
+export interface CertificateListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * List of certificates. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.Certificate>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"CertificateList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/cert_manager/v1/certificatePatch.d.ts b/generated/crds/cert_manager/v1/certificatePatch.d.ts
new file mode 100644
index 0000000..afe8e22
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificatePatch.d.ts
@@ -0,0 +1,73 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A Certificate resource should be created to ensure an up to date and signed
+ * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+ *
+ * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+ */
+export declare class CertificatePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificatePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificatePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:CertificatePatch";
+    /**
+     * Returns true if the given object is an instance of CertificatePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CertificatePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Certificate">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.cert_manager.v1.CertificateSpecPatch>;
+    readonly status: pulumi.Output<outputs.cert_manager.v1.CertificateStatusPatch>;
+    /**
+     * Create a CertificatePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificatePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CertificatePatch resource.
+ */
+export interface CertificatePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Certificate">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecPatch>;
+}
diff --git a/generated/crds/cert_manager/v1/certificatePatch.js b/generated/crds/cert_manager/v1/certificatePatch.js
new file mode 100644
index 0000000..764d506
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificatePatch.js
@@ -0,0 +1,72 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificatePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A Certificate resource should be created to ensure an up to date and signed
+ * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+ *
+ * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+ */
+class CertificatePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificatePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new CertificatePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of CertificatePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificatePatch.__pulumiType;
+    }
+    /**
+     * Create a CertificatePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "Certificate";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificatePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.CertificatePatch = CertificatePatch;
+/** @internal */
+CertificatePatch.__pulumiType = 'kubernetes:cert-manager.io/v1:CertificatePatch';
diff --git a/generated/crds/cert_manager/v1/certificatePatch.ts b/generated/crds/cert_manager/v1/certificatePatch.ts
new file mode 100644
index 0000000..b079665
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificatePatch.ts
@@ -0,0 +1,108 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A Certificate resource should be created to ensure an up to date and signed
+ * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+ *
+ * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+ */
+export class CertificatePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificatePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificatePatch {
+        return new CertificatePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:CertificatePatch';
+
+    /**
+     * Returns true if the given object is an instance of CertificatePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is CertificatePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificatePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Certificate">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.cert_manager.v1.CertificateSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.cert_manager.v1.CertificateStatusPatch>;
+
+    /**
+     * Create a CertificatePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificatePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "Certificate";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificatePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a CertificatePatch resource.
+ */
+export interface CertificatePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Certificate">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecPatch>;
+}
diff --git a/generated/crds/cert_manager/v1/certificateRequest.d.ts b/generated/crds/cert_manager/v1/certificateRequest.d.ts
new file mode 100644
index 0000000..908d32b
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequest.d.ts
@@ -0,0 +1,72 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * A CertificateRequest is used to request a signed certificate from one of the
+ * configured issuers.
+ *
+ * All fields within the CertificateRequest's `spec` are immutable after creation.
+ * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+ * condition and its `status.failureTime` field.
+ *
+ * A CertificateRequest is a one-shot resource, meaning it represents a single
+ * point in time request for a certificate and cannot be re-used.
+ */
+export declare class CertificateRequest extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequest resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificateRequest;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:CertificateRequest";
+    /**
+     * Returns true if the given object is an instance of CertificateRequest.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CertificateRequest;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"CertificateRequest">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.cert_manager.v1.CertificateRequestSpec>;
+    readonly status: pulumi.Output<outputs.cert_manager.v1.CertificateRequestStatus>;
+    /**
+     * Create a CertificateRequest resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateRequestArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CertificateRequest resource.
+ */
+export interface CertificateRequestArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"CertificateRequest">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpec>;
+}
diff --git a/generated/crds/cert_manager/v1/certificateRequest.js b/generated/crds/cert_manager/v1/certificateRequest.js
new file mode 100644
index 0000000..d6adc2e
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequest.js
@@ -0,0 +1,71 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateRequest = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * A CertificateRequest is used to request a signed certificate from one of the
+ * configured issuers.
+ *
+ * All fields within the CertificateRequest's `spec` are immutable after creation.
+ * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+ * condition and its `status.failureTime` field.
+ *
+ * A CertificateRequest is a one-shot resource, meaning it represents a single
+ * point in time request for a certificate and cannot be re-used.
+ */
+class CertificateRequest extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequest resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new CertificateRequest(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of CertificateRequest.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificateRequest.__pulumiType;
+    }
+    /**
+     * Create a CertificateRequest resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "CertificateRequest";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificateRequest.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.CertificateRequest = CertificateRequest;
+/** @internal */
+CertificateRequest.__pulumiType = 'kubernetes:cert-manager.io/v1:CertificateRequest';
diff --git a/generated/crds/cert_manager/v1/certificateRequest.ts b/generated/crds/cert_manager/v1/certificateRequest.ts
new file mode 100644
index 0000000..3860c00
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequest.ts
@@ -0,0 +1,107 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * A CertificateRequest is used to request a signed certificate from one of the
+ * configured issuers.
+ *
+ * All fields within the CertificateRequest's `spec` are immutable after creation.
+ * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+ * condition and its `status.failureTime` field.
+ *
+ * A CertificateRequest is a one-shot resource, meaning it represents a single
+ * point in time request for a certificate and cannot be re-used.
+ */
+export class CertificateRequest extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequest resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificateRequest {
+        return new CertificateRequest(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:CertificateRequest';
+
+    /**
+     * Returns true if the given object is an instance of CertificateRequest.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is CertificateRequest {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificateRequest.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"CertificateRequest">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.cert_manager.v1.CertificateRequestSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.cert_manager.v1.CertificateRequestStatus>;
+
+    /**
+     * Create a CertificateRequest resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateRequestArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "CertificateRequest";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificateRequest.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a CertificateRequest resource.
+ */
+export interface CertificateRequestArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"CertificateRequest">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpec>;
+}
diff --git a/generated/crds/cert_manager/v1/certificateRequestList.d.ts b/generated/crds/cert_manager/v1/certificateRequestList.d.ts
new file mode 100644
index 0000000..67fb1d1
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequestList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * CertificateRequestList is a list of CertificateRequest
+ */
+export declare class CertificateRequestList extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequestList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificateRequestList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:CertificateRequestList";
+    /**
+     * Returns true if the given object is an instance of CertificateRequestList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CertificateRequestList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * List of certificaterequests. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.cert_manager.v1.CertificateRequest[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"CertificateRequestList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a CertificateRequestList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateRequestListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CertificateRequestList resource.
+ */
+export interface CertificateRequestListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * List of certificaterequests. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateRequest>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"CertificateRequestList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/cert_manager/v1/certificateRequestList.js b/generated/crds/cert_manager/v1/certificateRequestList.js
new file mode 100644
index 0000000..cc626f4
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequestList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateRequestList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * CertificateRequestList is a list of CertificateRequest
+ */
+class CertificateRequestList extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequestList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new CertificateRequestList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of CertificateRequestList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificateRequestList.__pulumiType;
+    }
+    /**
+     * Create a CertificateRequestList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "CertificateRequestList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificateRequestList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.CertificateRequestList = CertificateRequestList;
+/** @internal */
+CertificateRequestList.__pulumiType = 'kubernetes:cert-manager.io/v1:CertificateRequestList';
diff --git a/generated/crds/cert_manager/v1/certificateRequestList.ts b/generated/crds/cert_manager/v1/certificateRequestList.ts
new file mode 100644
index 0000000..eeebad9
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequestList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * CertificateRequestList is a list of CertificateRequest
+ */
+export class CertificateRequestList extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequestList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificateRequestList {
+        return new CertificateRequestList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:CertificateRequestList';
+
+    /**
+     * Returns true if the given object is an instance of CertificateRequestList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is CertificateRequestList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificateRequestList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * List of certificaterequests. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.cert_manager.v1.CertificateRequest[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"CertificateRequestList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a CertificateRequestList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateRequestListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "CertificateRequestList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificateRequestList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a CertificateRequestList resource.
+ */
+export interface CertificateRequestListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * List of certificaterequests. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateRequest>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"CertificateRequestList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/cert_manager/v1/certificateRequestPatch.d.ts b/generated/crds/cert_manager/v1/certificateRequestPatch.d.ts
new file mode 100644
index 0000000..92b746b
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequestPatch.d.ts
@@ -0,0 +1,78 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A CertificateRequest is used to request a signed certificate from one of the
+ * configured issuers.
+ *
+ * All fields within the CertificateRequest's `spec` are immutable after creation.
+ * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+ * condition and its `status.failureTime` field.
+ *
+ * A CertificateRequest is a one-shot resource, meaning it represents a single
+ * point in time request for a certificate and cannot be re-used.
+ */
+export declare class CertificateRequestPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequestPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificateRequestPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:CertificateRequestPatch";
+    /**
+     * Returns true if the given object is an instance of CertificateRequestPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is CertificateRequestPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"CertificateRequest">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.cert_manager.v1.CertificateRequestSpecPatch>;
+    readonly status: pulumi.Output<outputs.cert_manager.v1.CertificateRequestStatusPatch>;
+    /**
+     * Create a CertificateRequestPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateRequestPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a CertificateRequestPatch resource.
+ */
+export interface CertificateRequestPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"CertificateRequest">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpecPatch>;
+}
diff --git a/generated/crds/cert_manager/v1/certificateRequestPatch.js b/generated/crds/cert_manager/v1/certificateRequestPatch.js
new file mode 100644
index 0000000..f4d6af5
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequestPatch.js
@@ -0,0 +1,77 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateRequestPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A CertificateRequest is used to request a signed certificate from one of the
+ * configured issuers.
+ *
+ * All fields within the CertificateRequest's `spec` are immutable after creation.
+ * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+ * condition and its `status.failureTime` field.
+ *
+ * A CertificateRequest is a one-shot resource, meaning it represents a single
+ * point in time request for a certificate and cannot be re-used.
+ */
+class CertificateRequestPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequestPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new CertificateRequestPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of CertificateRequestPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificateRequestPatch.__pulumiType;
+    }
+    /**
+     * Create a CertificateRequestPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "CertificateRequest";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificateRequestPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.CertificateRequestPatch = CertificateRequestPatch;
+/** @internal */
+CertificateRequestPatch.__pulumiType = 'kubernetes:cert-manager.io/v1:CertificateRequestPatch';
diff --git a/generated/crds/cert_manager/v1/certificateRequestPatch.ts b/generated/crds/cert_manager/v1/certificateRequestPatch.ts
new file mode 100644
index 0000000..e4bfba5
--- /dev/null
+++ b/generated/crds/cert_manager/v1/certificateRequestPatch.ts
@@ -0,0 +1,113 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A CertificateRequest is used to request a signed certificate from one of the
+ * configured issuers.
+ *
+ * All fields within the CertificateRequest's `spec` are immutable after creation.
+ * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+ * condition and its `status.failureTime` field.
+ *
+ * A CertificateRequest is a one-shot resource, meaning it represents a single
+ * point in time request for a certificate and cannot be re-used.
+ */
+export class CertificateRequestPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing CertificateRequestPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): CertificateRequestPatch {
+        return new CertificateRequestPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:CertificateRequestPatch';
+
+    /**
+     * Returns true if the given object is an instance of CertificateRequestPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is CertificateRequestPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === CertificateRequestPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"CertificateRequest">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.cert_manager.v1.CertificateRequestSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.cert_manager.v1.CertificateRequestStatusPatch>;
+
+    /**
+     * Create a CertificateRequestPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: CertificateRequestPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "CertificateRequest";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(CertificateRequestPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a CertificateRequestPatch resource.
+ */
+export interface CertificateRequestPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"CertificateRequest">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpecPatch>;
+}
diff --git a/generated/crds/cert_manager/v1/clusterIssuer.d.ts b/generated/crds/cert_manager/v1/clusterIssuer.d.ts
new file mode 100644
index 0000000..c7fbebc
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuer.d.ts
@@ -0,0 +1,68 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * A ClusterIssuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is similar to an Issuer, however it is cluster-scoped and therefore can
+ * be referenced by resources that exist in *any* namespace, not just the same
+ * namespace as the referent.
+ */
+export declare class ClusterIssuer extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuer resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ClusterIssuer;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:ClusterIssuer";
+    /**
+     * Returns true if the given object is an instance of ClusterIssuer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is ClusterIssuer;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"ClusterIssuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.cert_manager.v1.ClusterIssuerSpec>;
+    readonly status: pulumi.Output<outputs.cert_manager.v1.ClusterIssuerStatus>;
+    /**
+     * Create a ClusterIssuer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ClusterIssuerArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a ClusterIssuer resource.
+ */
+export interface ClusterIssuerArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ClusterIssuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpec>;
+}
diff --git a/generated/crds/cert_manager/v1/clusterIssuer.js b/generated/crds/cert_manager/v1/clusterIssuer.js
new file mode 100644
index 0000000..484dccd
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuer.js
@@ -0,0 +1,67 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClusterIssuer = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * A ClusterIssuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is similar to an Issuer, however it is cluster-scoped and therefore can
+ * be referenced by resources that exist in *any* namespace, not just the same
+ * namespace as the referent.
+ */
+class ClusterIssuer extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuer resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new ClusterIssuer(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of ClusterIssuer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ClusterIssuer.__pulumiType;
+    }
+    /**
+     * Create a ClusterIssuer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "ClusterIssuer";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ClusterIssuer.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.ClusterIssuer = ClusterIssuer;
+/** @internal */
+ClusterIssuer.__pulumiType = 'kubernetes:cert-manager.io/v1:ClusterIssuer';
diff --git a/generated/crds/cert_manager/v1/clusterIssuer.ts b/generated/crds/cert_manager/v1/clusterIssuer.ts
new file mode 100644
index 0000000..62d860c
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuer.ts
@@ -0,0 +1,103 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * A ClusterIssuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is similar to an Issuer, however it is cluster-scoped and therefore can
+ * be referenced by resources that exist in *any* namespace, not just the same
+ * namespace as the referent.
+ */
+export class ClusterIssuer extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuer resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ClusterIssuer {
+        return new ClusterIssuer(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:ClusterIssuer';
+
+    /**
+     * Returns true if the given object is an instance of ClusterIssuer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ClusterIssuer {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ClusterIssuer.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"ClusterIssuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.cert_manager.v1.ClusterIssuerSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.cert_manager.v1.ClusterIssuerStatus>;
+
+    /**
+     * Create a ClusterIssuer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ClusterIssuerArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "ClusterIssuer";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ClusterIssuer.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a ClusterIssuer resource.
+ */
+export interface ClusterIssuerArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ClusterIssuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpec>;
+}
diff --git a/generated/crds/cert_manager/v1/clusterIssuerList.d.ts b/generated/crds/cert_manager/v1/clusterIssuerList.d.ts
new file mode 100644
index 0000000..8f578db
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuerList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * ClusterIssuerList is a list of ClusterIssuer
+ */
+export declare class ClusterIssuerList extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuerList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ClusterIssuerList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:ClusterIssuerList";
+    /**
+     * Returns true if the given object is an instance of ClusterIssuerList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is ClusterIssuerList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * List of clusterissuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.cert_manager.v1.ClusterIssuer[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"ClusterIssuerList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a ClusterIssuerList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ClusterIssuerListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a ClusterIssuerList resource.
+ */
+export interface ClusterIssuerListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * List of clusterissuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuer>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ClusterIssuerList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/cert_manager/v1/clusterIssuerList.js b/generated/crds/cert_manager/v1/clusterIssuerList.js
new file mode 100644
index 0000000..80a5928
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuerList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClusterIssuerList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * ClusterIssuerList is a list of ClusterIssuer
+ */
+class ClusterIssuerList extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuerList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new ClusterIssuerList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of ClusterIssuerList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ClusterIssuerList.__pulumiType;
+    }
+    /**
+     * Create a ClusterIssuerList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "ClusterIssuerList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ClusterIssuerList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.ClusterIssuerList = ClusterIssuerList;
+/** @internal */
+ClusterIssuerList.__pulumiType = 'kubernetes:cert-manager.io/v1:ClusterIssuerList';
diff --git a/generated/crds/cert_manager/v1/clusterIssuerList.ts b/generated/crds/cert_manager/v1/clusterIssuerList.ts
new file mode 100644
index 0000000..5ef75dd
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuerList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * ClusterIssuerList is a list of ClusterIssuer
+ */
+export class ClusterIssuerList extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuerList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ClusterIssuerList {
+        return new ClusterIssuerList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:ClusterIssuerList';
+
+    /**
+     * Returns true if the given object is an instance of ClusterIssuerList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ClusterIssuerList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ClusterIssuerList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * List of clusterissuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.cert_manager.v1.ClusterIssuer[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"ClusterIssuerList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a ClusterIssuerList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ClusterIssuerListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "ClusterIssuerList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ClusterIssuerList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a ClusterIssuerList resource.
+ */
+export interface ClusterIssuerListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * List of clusterissuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuer>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ClusterIssuerList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/cert_manager/v1/clusterIssuerPatch.d.ts b/generated/crds/cert_manager/v1/clusterIssuerPatch.d.ts
new file mode 100644
index 0000000..412881e
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuerPatch.d.ts
@@ -0,0 +1,74 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A ClusterIssuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is similar to an Issuer, however it is cluster-scoped and therefore can
+ * be referenced by resources that exist in *any* namespace, not just the same
+ * namespace as the referent.
+ */
+export declare class ClusterIssuerPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuerPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ClusterIssuerPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:ClusterIssuerPatch";
+    /**
+     * Returns true if the given object is an instance of ClusterIssuerPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is ClusterIssuerPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"ClusterIssuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.cert_manager.v1.ClusterIssuerSpecPatch>;
+    readonly status: pulumi.Output<outputs.cert_manager.v1.ClusterIssuerStatusPatch>;
+    /**
+     * Create a ClusterIssuerPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ClusterIssuerPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a ClusterIssuerPatch resource.
+ */
+export interface ClusterIssuerPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ClusterIssuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecPatch>;
+}
diff --git a/generated/crds/cert_manager/v1/clusterIssuerPatch.js b/generated/crds/cert_manager/v1/clusterIssuerPatch.js
new file mode 100644
index 0000000..f13966a
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuerPatch.js
@@ -0,0 +1,73 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClusterIssuerPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A ClusterIssuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is similar to an Issuer, however it is cluster-scoped and therefore can
+ * be referenced by resources that exist in *any* namespace, not just the same
+ * namespace as the referent.
+ */
+class ClusterIssuerPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuerPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new ClusterIssuerPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of ClusterIssuerPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ClusterIssuerPatch.__pulumiType;
+    }
+    /**
+     * Create a ClusterIssuerPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "ClusterIssuer";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ClusterIssuerPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.ClusterIssuerPatch = ClusterIssuerPatch;
+/** @internal */
+ClusterIssuerPatch.__pulumiType = 'kubernetes:cert-manager.io/v1:ClusterIssuerPatch';
diff --git a/generated/crds/cert_manager/v1/clusterIssuerPatch.ts b/generated/crds/cert_manager/v1/clusterIssuerPatch.ts
new file mode 100644
index 0000000..15b43db
--- /dev/null
+++ b/generated/crds/cert_manager/v1/clusterIssuerPatch.ts
@@ -0,0 +1,109 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * A ClusterIssuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is similar to an Issuer, however it is cluster-scoped and therefore can
+ * be referenced by resources that exist in *any* namespace, not just the same
+ * namespace as the referent.
+ */
+export class ClusterIssuerPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ClusterIssuerPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ClusterIssuerPatch {
+        return new ClusterIssuerPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:ClusterIssuerPatch';
+
+    /**
+     * Returns true if the given object is an instance of ClusterIssuerPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ClusterIssuerPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ClusterIssuerPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"ClusterIssuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.cert_manager.v1.ClusterIssuerSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.cert_manager.v1.ClusterIssuerStatusPatch>;
+
+    /**
+     * Create a ClusterIssuerPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ClusterIssuerPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "ClusterIssuer";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ClusterIssuerPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a ClusterIssuerPatch resource.
+ */
+export interface ClusterIssuerPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ClusterIssuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecPatch>;
+}
diff --git a/generated/crds/cert_manager/v1/index.d.ts b/generated/crds/cert_manager/v1/index.d.ts
new file mode 100644
index 0000000..761dbe9
--- /dev/null
+++ b/generated/crds/cert_manager/v1/index.d.ts
@@ -0,0 +1,36 @@
+export { CertificateArgs } from "./certificate";
+export type Certificate = import("./certificate").Certificate;
+export declare const Certificate: typeof import("./certificate").Certificate;
+export { CertificateListArgs } from "./certificateList";
+export type CertificateList = import("./certificateList").CertificateList;
+export declare const CertificateList: typeof import("./certificateList").CertificateList;
+export { CertificatePatchArgs } from "./certificatePatch";
+export type CertificatePatch = import("./certificatePatch").CertificatePatch;
+export declare const CertificatePatch: typeof import("./certificatePatch").CertificatePatch;
+export { CertificateRequestArgs } from "./certificateRequest";
+export type CertificateRequest = import("./certificateRequest").CertificateRequest;
+export declare const CertificateRequest: typeof import("./certificateRequest").CertificateRequest;
+export { CertificateRequestListArgs } from "./certificateRequestList";
+export type CertificateRequestList = import("./certificateRequestList").CertificateRequestList;
+export declare const CertificateRequestList: typeof import("./certificateRequestList").CertificateRequestList;
+export { CertificateRequestPatchArgs } from "./certificateRequestPatch";
+export type CertificateRequestPatch = import("./certificateRequestPatch").CertificateRequestPatch;
+export declare const CertificateRequestPatch: typeof import("./certificateRequestPatch").CertificateRequestPatch;
+export { ClusterIssuerArgs } from "./clusterIssuer";
+export type ClusterIssuer = import("./clusterIssuer").ClusterIssuer;
+export declare const ClusterIssuer: typeof import("./clusterIssuer").ClusterIssuer;
+export { ClusterIssuerListArgs } from "./clusterIssuerList";
+export type ClusterIssuerList = import("./clusterIssuerList").ClusterIssuerList;
+export declare const ClusterIssuerList: typeof import("./clusterIssuerList").ClusterIssuerList;
+export { ClusterIssuerPatchArgs } from "./clusterIssuerPatch";
+export type ClusterIssuerPatch = import("./clusterIssuerPatch").ClusterIssuerPatch;
+export declare const ClusterIssuerPatch: typeof import("./clusterIssuerPatch").ClusterIssuerPatch;
+export { IssuerArgs } from "./issuer";
+export type Issuer = import("./issuer").Issuer;
+export declare const Issuer: typeof import("./issuer").Issuer;
+export { IssuerListArgs } from "./issuerList";
+export type IssuerList = import("./issuerList").IssuerList;
+export declare const IssuerList: typeof import("./issuerList").IssuerList;
+export { IssuerPatchArgs } from "./issuerPatch";
+export type IssuerPatch = import("./issuerPatch").IssuerPatch;
+export declare const IssuerPatch: typeof import("./issuerPatch").IssuerPatch;
diff --git a/generated/crds/cert_manager/v1/index.js b/generated/crds/cert_manager/v1/index.js
new file mode 100644
index 0000000..93ff895
--- /dev/null
+++ b/generated/crds/cert_manager/v1/index.js
@@ -0,0 +1,65 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IssuerPatch = exports.IssuerList = exports.Issuer = exports.ClusterIssuerPatch = exports.ClusterIssuerList = exports.ClusterIssuer = exports.CertificateRequestPatch = exports.CertificateRequestList = exports.CertificateRequest = exports.CertificatePatch = exports.CertificateList = exports.Certificate = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+exports.Certificate = null;
+utilities.lazyLoad(exports, ["Certificate"], () => require("./certificate"));
+exports.CertificateList = null;
+utilities.lazyLoad(exports, ["CertificateList"], () => require("./certificateList"));
+exports.CertificatePatch = null;
+utilities.lazyLoad(exports, ["CertificatePatch"], () => require("./certificatePatch"));
+exports.CertificateRequest = null;
+utilities.lazyLoad(exports, ["CertificateRequest"], () => require("./certificateRequest"));
+exports.CertificateRequestList = null;
+utilities.lazyLoad(exports, ["CertificateRequestList"], () => require("./certificateRequestList"));
+exports.CertificateRequestPatch = null;
+utilities.lazyLoad(exports, ["CertificateRequestPatch"], () => require("./certificateRequestPatch"));
+exports.ClusterIssuer = null;
+utilities.lazyLoad(exports, ["ClusterIssuer"], () => require("./clusterIssuer"));
+exports.ClusterIssuerList = null;
+utilities.lazyLoad(exports, ["ClusterIssuerList"], () => require("./clusterIssuerList"));
+exports.ClusterIssuerPatch = null;
+utilities.lazyLoad(exports, ["ClusterIssuerPatch"], () => require("./clusterIssuerPatch"));
+exports.Issuer = null;
+utilities.lazyLoad(exports, ["Issuer"], () => require("./issuer"));
+exports.IssuerList = null;
+utilities.lazyLoad(exports, ["IssuerList"], () => require("./issuerList"));
+exports.IssuerPatch = null;
+utilities.lazyLoad(exports, ["IssuerPatch"], () => require("./issuerPatch"));
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name, type, urn) => {
+        switch (type) {
+            case "kubernetes:cert-manager.io/v1:Certificate":
+                return new exports.Certificate(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:CertificateList":
+                return new exports.CertificateList(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:CertificatePatch":
+                return new exports.CertificatePatch(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:CertificateRequest":
+                return new exports.CertificateRequest(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:CertificateRequestList":
+                return new exports.CertificateRequestList(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:CertificateRequestPatch":
+                return new exports.CertificateRequestPatch(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:ClusterIssuer":
+                return new exports.ClusterIssuer(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:ClusterIssuerList":
+                return new exports.ClusterIssuerList(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:ClusterIssuerPatch":
+                return new exports.ClusterIssuerPatch(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:Issuer":
+                return new exports.Issuer(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:IssuerList":
+                return new exports.IssuerList(name, undefined, { urn });
+            case "kubernetes:cert-manager.io/v1:IssuerPatch":
+                return new exports.IssuerPatch(name, undefined, { urn });
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "cert-manager.io/v1", _module);
diff --git a/generated/crds/cert_manager/v1/index.ts b/generated/crds/cert_manager/v1/index.ts
new file mode 100644
index 0000000..50a5183
--- /dev/null
+++ b/generated/crds/cert_manager/v1/index.ts
@@ -0,0 +1,102 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../../utilities";
+
+// Export members:
+export { CertificateArgs } from "./certificate";
+export type Certificate = import("./certificate").Certificate;
+export const Certificate: typeof import("./certificate").Certificate = null as any;
+utilities.lazyLoad(exports, ["Certificate"], () => require("./certificate"));
+
+export { CertificateListArgs } from "./certificateList";
+export type CertificateList = import("./certificateList").CertificateList;
+export const CertificateList: typeof import("./certificateList").CertificateList = null as any;
+utilities.lazyLoad(exports, ["CertificateList"], () => require("./certificateList"));
+
+export { CertificatePatchArgs } from "./certificatePatch";
+export type CertificatePatch = import("./certificatePatch").CertificatePatch;
+export const CertificatePatch: typeof import("./certificatePatch").CertificatePatch = null as any;
+utilities.lazyLoad(exports, ["CertificatePatch"], () => require("./certificatePatch"));
+
+export { CertificateRequestArgs } from "./certificateRequest";
+export type CertificateRequest = import("./certificateRequest").CertificateRequest;
+export const CertificateRequest: typeof import("./certificateRequest").CertificateRequest = null as any;
+utilities.lazyLoad(exports, ["CertificateRequest"], () => require("./certificateRequest"));
+
+export { CertificateRequestListArgs } from "./certificateRequestList";
+export type CertificateRequestList = import("./certificateRequestList").CertificateRequestList;
+export const CertificateRequestList: typeof import("./certificateRequestList").CertificateRequestList = null as any;
+utilities.lazyLoad(exports, ["CertificateRequestList"], () => require("./certificateRequestList"));
+
+export { CertificateRequestPatchArgs } from "./certificateRequestPatch";
+export type CertificateRequestPatch = import("./certificateRequestPatch").CertificateRequestPatch;
+export const CertificateRequestPatch: typeof import("./certificateRequestPatch").CertificateRequestPatch = null as any;
+utilities.lazyLoad(exports, ["CertificateRequestPatch"], () => require("./certificateRequestPatch"));
+
+export { ClusterIssuerArgs } from "./clusterIssuer";
+export type ClusterIssuer = import("./clusterIssuer").ClusterIssuer;
+export const ClusterIssuer: typeof import("./clusterIssuer").ClusterIssuer = null as any;
+utilities.lazyLoad(exports, ["ClusterIssuer"], () => require("./clusterIssuer"));
+
+export { ClusterIssuerListArgs } from "./clusterIssuerList";
+export type ClusterIssuerList = import("./clusterIssuerList").ClusterIssuerList;
+export const ClusterIssuerList: typeof import("./clusterIssuerList").ClusterIssuerList = null as any;
+utilities.lazyLoad(exports, ["ClusterIssuerList"], () => require("./clusterIssuerList"));
+
+export { ClusterIssuerPatchArgs } from "./clusterIssuerPatch";
+export type ClusterIssuerPatch = import("./clusterIssuerPatch").ClusterIssuerPatch;
+export const ClusterIssuerPatch: typeof import("./clusterIssuerPatch").ClusterIssuerPatch = null as any;
+utilities.lazyLoad(exports, ["ClusterIssuerPatch"], () => require("./clusterIssuerPatch"));
+
+export { IssuerArgs } from "./issuer";
+export type Issuer = import("./issuer").Issuer;
+export const Issuer: typeof import("./issuer").Issuer = null as any;
+utilities.lazyLoad(exports, ["Issuer"], () => require("./issuer"));
+
+export { IssuerListArgs } from "./issuerList";
+export type IssuerList = import("./issuerList").IssuerList;
+export const IssuerList: typeof import("./issuerList").IssuerList = null as any;
+utilities.lazyLoad(exports, ["IssuerList"], () => require("./issuerList"));
+
+export { IssuerPatchArgs } from "./issuerPatch";
+export type IssuerPatch = import("./issuerPatch").IssuerPatch;
+export const IssuerPatch: typeof import("./issuerPatch").IssuerPatch = null as any;
+utilities.lazyLoad(exports, ["IssuerPatch"], () => require("./issuerPatch"));
+
+
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name: string, type: string, urn: string): pulumi.Resource => {
+        switch (type) {
+            case "kubernetes:cert-manager.io/v1:Certificate":
+                return new Certificate(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:CertificateList":
+                return new CertificateList(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:CertificatePatch":
+                return new CertificatePatch(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:CertificateRequest":
+                return new CertificateRequest(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:CertificateRequestList":
+                return new CertificateRequestList(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:CertificateRequestPatch":
+                return new CertificateRequestPatch(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:ClusterIssuer":
+                return new ClusterIssuer(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:ClusterIssuerList":
+                return new ClusterIssuerList(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:ClusterIssuerPatch":
+                return new ClusterIssuerPatch(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:Issuer":
+                return new Issuer(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:IssuerList":
+                return new IssuerList(name, <any>undefined, { urn })
+            case "kubernetes:cert-manager.io/v1:IssuerPatch":
+                return new IssuerPatch(name, <any>undefined, { urn })
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "cert-manager.io/v1", _module)
diff --git a/generated/crds/cert_manager/v1/issuer.d.ts b/generated/crds/cert_manager/v1/issuer.d.ts
new file mode 100644
index 0000000..96a6e12
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuer.d.ts
@@ -0,0 +1,67 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * An Issuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is scoped to a single namespace and can therefore only be referenced by
+ * resources within the same namespace.
+ */
+export declare class Issuer extends pulumi.CustomResource {
+    /**
+     * Get an existing Issuer resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Issuer;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:Issuer";
+    /**
+     * Returns true if the given object is an instance of Issuer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Issuer;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Issuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.cert_manager.v1.IssuerSpec>;
+    readonly status: pulumi.Output<outputs.cert_manager.v1.IssuerStatus>;
+    /**
+     * Create a Issuer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: IssuerArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a Issuer resource.
+ */
+export interface IssuerArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Issuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpec>;
+}
diff --git a/generated/crds/cert_manager/v1/issuer.js b/generated/crds/cert_manager/v1/issuer.js
new file mode 100644
index 0000000..93f84ac
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuer.js
@@ -0,0 +1,66 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Issuer = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * An Issuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is scoped to a single namespace and can therefore only be referenced by
+ * resources within the same namespace.
+ */
+class Issuer extends pulumi.CustomResource {
+    /**
+     * Get an existing Issuer resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new Issuer(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of Issuer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Issuer.__pulumiType;
+    }
+    /**
+     * Create a Issuer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "Issuer";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Issuer.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.Issuer = Issuer;
+/** @internal */
+Issuer.__pulumiType = 'kubernetes:cert-manager.io/v1:Issuer';
diff --git a/generated/crds/cert_manager/v1/issuer.ts b/generated/crds/cert_manager/v1/issuer.ts
new file mode 100644
index 0000000..1864f7a
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuer.ts
@@ -0,0 +1,102 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * An Issuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is scoped to a single namespace and can therefore only be referenced by
+ * resources within the same namespace.
+ */
+export class Issuer extends pulumi.CustomResource {
+    /**
+     * Get an existing Issuer resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Issuer {
+        return new Issuer(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:Issuer';
+
+    /**
+     * Returns true if the given object is an instance of Issuer.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Issuer {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Issuer.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Issuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.cert_manager.v1.IssuerSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.cert_manager.v1.IssuerStatus>;
+
+    /**
+     * Create a Issuer resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: IssuerArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "Issuer";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Issuer.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a Issuer resource.
+ */
+export interface IssuerArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Issuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpec>;
+}
diff --git a/generated/crds/cert_manager/v1/issuerList.d.ts b/generated/crds/cert_manager/v1/issuerList.d.ts
new file mode 100644
index 0000000..f32f55b
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuerList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * IssuerList is a list of Issuer
+ */
+export declare class IssuerList extends pulumi.CustomResource {
+    /**
+     * Get an existing IssuerList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): IssuerList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:IssuerList";
+    /**
+     * Returns true if the given object is an instance of IssuerList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is IssuerList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * List of issuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.cert_manager.v1.Issuer[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"IssuerList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a IssuerList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: IssuerListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a IssuerList resource.
+ */
+export interface IssuerListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * List of issuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.Issuer>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"IssuerList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/cert_manager/v1/issuerList.js b/generated/crds/cert_manager/v1/issuerList.js
new file mode 100644
index 0000000..2bb7063
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuerList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IssuerList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * IssuerList is a list of Issuer
+ */
+class IssuerList extends pulumi.CustomResource {
+    /**
+     * Get an existing IssuerList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new IssuerList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of IssuerList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === IssuerList.__pulumiType;
+    }
+    /**
+     * Create a IssuerList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "IssuerList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(IssuerList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.IssuerList = IssuerList;
+/** @internal */
+IssuerList.__pulumiType = 'kubernetes:cert-manager.io/v1:IssuerList';
diff --git a/generated/crds/cert_manager/v1/issuerList.ts b/generated/crds/cert_manager/v1/issuerList.ts
new file mode 100644
index 0000000..7c7f54e
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuerList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * IssuerList is a list of Issuer
+ */
+export class IssuerList extends pulumi.CustomResource {
+    /**
+     * Get an existing IssuerList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): IssuerList {
+        return new IssuerList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:IssuerList';
+
+    /**
+     * Returns true if the given object is an instance of IssuerList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is IssuerList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === IssuerList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * List of issuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.cert_manager.v1.Issuer[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"IssuerList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a IssuerList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: IssuerListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "IssuerList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(IssuerList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a IssuerList resource.
+ */
+export interface IssuerListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * List of issuers. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.Issuer>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"IssuerList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/cert_manager/v1/issuerPatch.d.ts b/generated/crds/cert_manager/v1/issuerPatch.d.ts
new file mode 100644
index 0000000..b2792ec
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuerPatch.d.ts
@@ -0,0 +1,73 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * An Issuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is scoped to a single namespace and can therefore only be referenced by
+ * resources within the same namespace.
+ */
+export declare class IssuerPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing IssuerPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): IssuerPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:cert-manager.io/v1:IssuerPatch";
+    /**
+     * Returns true if the given object is an instance of IssuerPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is IssuerPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Issuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.cert_manager.v1.IssuerSpecPatch>;
+    readonly status: pulumi.Output<outputs.cert_manager.v1.IssuerStatusPatch>;
+    /**
+     * Create a IssuerPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: IssuerPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a IssuerPatch resource.
+ */
+export interface IssuerPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Issuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecPatch>;
+}
diff --git a/generated/crds/cert_manager/v1/issuerPatch.js b/generated/crds/cert_manager/v1/issuerPatch.js
new file mode 100644
index 0000000..2bb9c58
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuerPatch.js
@@ -0,0 +1,72 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IssuerPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * An Issuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is scoped to a single namespace and can therefore only be referenced by
+ * resources within the same namespace.
+ */
+class IssuerPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing IssuerPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new IssuerPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of IssuerPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === IssuerPatch.__pulumiType;
+    }
+    /**
+     * Create a IssuerPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "Issuer";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(IssuerPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.IssuerPatch = IssuerPatch;
+/** @internal */
+IssuerPatch.__pulumiType = 'kubernetes:cert-manager.io/v1:IssuerPatch';
diff --git a/generated/crds/cert_manager/v1/issuerPatch.ts b/generated/crds/cert_manager/v1/issuerPatch.ts
new file mode 100644
index 0000000..87d0326
--- /dev/null
+++ b/generated/crds/cert_manager/v1/issuerPatch.ts
@@ -0,0 +1,108 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * An Issuer represents a certificate issuing authority which can be
+ * referenced as part of `issuerRef` fields.
+ * It is scoped to a single namespace and can therefore only be referenced by
+ * resources within the same namespace.
+ */
+export class IssuerPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing IssuerPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): IssuerPatch {
+        return new IssuerPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:cert-manager.io/v1:IssuerPatch';
+
+    /**
+     * Returns true if the given object is an instance of IssuerPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is IssuerPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === IssuerPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Issuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.cert_manager.v1.IssuerSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.cert_manager.v1.IssuerStatusPatch>;
+
+    /**
+     * Create a IssuerPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: IssuerPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "cert-manager.io/v1";
+            resourceInputs["kind"] = "Issuer";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(IssuerPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a IssuerPatch resource.
+ */
+export interface IssuerPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Issuer">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecPatch>;
+}
diff --git a/generated/crds/gateway/index.d.ts b/generated/crds/gateway/index.d.ts
new file mode 100644
index 0000000..99ab3b9
--- /dev/null
+++ b/generated/crds/gateway/index.d.ts
@@ -0,0 +1,6 @@
+import * as v1 from "./v1";
+import * as v1alpha1 from "./v1alpha1";
+import * as v1alpha2 from "./v1alpha2";
+import * as v1alpha3 from "./v1alpha3";
+import * as v1beta1 from "./v1beta1";
+export { v1, v1alpha1, v1alpha2, v1alpha3, v1beta1, };
diff --git a/generated/crds/gateway/index.js b/generated/crds/gateway/index.js
new file mode 100644
index 0000000..be1acb6
--- /dev/null
+++ b/generated/crds/gateway/index.js
@@ -0,0 +1,16 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.v1beta1 = exports.v1alpha3 = exports.v1alpha2 = exports.v1alpha1 = exports.v1 = void 0;
+// Export sub-modules:
+const v1 = require("./v1");
+exports.v1 = v1;
+const v1alpha1 = require("./v1alpha1");
+exports.v1alpha1 = v1alpha1;
+const v1alpha2 = require("./v1alpha2");
+exports.v1alpha2 = v1alpha2;
+const v1alpha3 = require("./v1alpha3");
+exports.v1alpha3 = v1alpha3;
+const v1beta1 = require("./v1beta1");
+exports.v1beta1 = v1beta1;
diff --git a/generated/crds/gateway/index.ts b/generated/crds/gateway/index.ts
new file mode 100644
index 0000000..46f2d06
--- /dev/null
+++ b/generated/crds/gateway/index.ts
@@ -0,0 +1,19 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as utilities from "../utilities";
+
+// Export sub-modules:
+import * as v1 from "./v1";
+import * as v1alpha1 from "./v1alpha1";
+import * as v1alpha2 from "./v1alpha2";
+import * as v1alpha3 from "./v1alpha3";
+import * as v1beta1 from "./v1beta1";
+
+export {
+    v1,
+    v1alpha1,
+    v1alpha2,
+    v1alpha3,
+    v1beta1,
+};
diff --git a/generated/crds/gateway/v1/backendTLSPolicy.d.ts b/generated/crds/gateway/v1/backendTLSPolicy.d.ts
new file mode 100644
index 0000000..81ba223
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicy.d.ts
@@ -0,0 +1,65 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+export declare class BackendTLSPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicy;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy";
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is BackendTLSPolicy;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.BackendTLSPolicySpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1.BackendTLSPolicyStatus>;
+    /**
+     * Create a BackendTLSPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a BackendTLSPolicy resource.
+ */
+export interface BackendTLSPolicyArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpec>;
+}
diff --git a/generated/crds/gateway/v1/backendTLSPolicy.js b/generated/crds/gateway/v1/backendTLSPolicy.js
new file mode 100644
index 0000000..326091e
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicy.js
@@ -0,0 +1,66 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BackendTLSPolicy = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+class BackendTLSPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new BackendTLSPolicy(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicy.__pulumiType;
+    }
+    /**
+     * Create a BackendTLSPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "BackendTLSPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(BackendTLSPolicy.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.BackendTLSPolicy = BackendTLSPolicy;
+/** @internal */
+BackendTLSPolicy.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy';
diff --git a/generated/crds/gateway/v1/backendTLSPolicy.ts b/generated/crds/gateway/v1/backendTLSPolicy.ts
new file mode 100644
index 0000000..5d91fa2
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicy.ts
@@ -0,0 +1,102 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+export class BackendTLSPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicy {
+        return new BackendTLSPolicy(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy';
+
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is BackendTLSPolicy {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicy.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.BackendTLSPolicySpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.BackendTLSPolicyStatus>;
+
+    /**
+     * Create a BackendTLSPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "BackendTLSPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(BackendTLSPolicy.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a BackendTLSPolicy resource.
+ */
+export interface BackendTLSPolicyArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpec>;
+}
diff --git a/generated/crds/gateway/v1/backendTLSPolicyList.d.ts b/generated/crds/gateway/v1/backendTLSPolicyList.d.ts
new file mode 100644
index 0000000..fb14bbb
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicyList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * BackendTLSPolicyList is a list of BackendTLSPolicy
+ */
+export declare class BackendTLSPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList";
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is BackendTLSPolicyList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1.BackendTLSPolicy[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"BackendTLSPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a BackendTLSPolicyList resource.
+ */
+export interface BackendTLSPolicyListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicy>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/backendTLSPolicyList.js b/generated/crds/gateway/v1/backendTLSPolicyList.js
new file mode 100644
index 0000000..a2ce1cd
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicyList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BackendTLSPolicyList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * BackendTLSPolicyList is a list of BackendTLSPolicy
+ */
+class BackendTLSPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new BackendTLSPolicyList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicyList.__pulumiType;
+    }
+    /**
+     * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "BackendTLSPolicyList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(BackendTLSPolicyList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.BackendTLSPolicyList = BackendTLSPolicyList;
+/** @internal */
+BackendTLSPolicyList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList';
diff --git a/generated/crds/gateway/v1/backendTLSPolicyList.ts b/generated/crds/gateway/v1/backendTLSPolicyList.ts
new file mode 100644
index 0000000..52509ff
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicyList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * BackendTLSPolicyList is a list of BackendTLSPolicy
+ */
+export class BackendTLSPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyList {
+        return new BackendTLSPolicyList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList';
+
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is BackendTLSPolicyList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicyList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1.BackendTLSPolicy[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"BackendTLSPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "BackendTLSPolicyList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(BackendTLSPolicyList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a BackendTLSPolicyList resource.
+ */
+export interface BackendTLSPolicyListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicy>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/backendTLSPolicyPatch.d.ts b/generated/crds/gateway/v1/backendTLSPolicyPatch.d.ts
new file mode 100644
index 0000000..7eca469
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicyPatch.d.ts
@@ -0,0 +1,71 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+export declare class BackendTLSPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch";
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is BackendTLSPolicyPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.BackendTLSPolicySpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1.BackendTLSPolicyStatusPatch>;
+    /**
+     * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a BackendTLSPolicyPatch resource.
+ */
+export interface BackendTLSPolicyPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/backendTLSPolicyPatch.js b/generated/crds/gateway/v1/backendTLSPolicyPatch.js
new file mode 100644
index 0000000..abb0cce
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicyPatch.js
@@ -0,0 +1,72 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BackendTLSPolicyPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+class BackendTLSPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new BackendTLSPolicyPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicyPatch.__pulumiType;
+    }
+    /**
+     * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "BackendTLSPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(BackendTLSPolicyPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.BackendTLSPolicyPatch = BackendTLSPolicyPatch;
+/** @internal */
+BackendTLSPolicyPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch';
diff --git a/generated/crds/gateway/v1/backendTLSPolicyPatch.ts b/generated/crds/gateway/v1/backendTLSPolicyPatch.ts
new file mode 100644
index 0000000..fbc5981
--- /dev/null
+++ b/generated/crds/gateway/v1/backendTLSPolicyPatch.ts
@@ -0,0 +1,108 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+export class BackendTLSPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyPatch {
+        return new BackendTLSPolicyPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch';
+
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is BackendTLSPolicyPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicyPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.BackendTLSPolicySpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.BackendTLSPolicyStatusPatch>;
+
+    /**
+     * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "BackendTLSPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(BackendTLSPolicyPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a BackendTLSPolicyPatch resource.
+ */
+export interface BackendTLSPolicyPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/gateway.d.ts b/generated/crds/gateway/v1/gateway.d.ts
new file mode 100644
index 0000000..79291f0
--- /dev/null
+++ b/generated/crds/gateway/v1/gateway.d.ts
@@ -0,0 +1,65 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+export declare class Gateway extends pulumi.CustomResource {
+    /**
+     * Get an existing Gateway resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Gateway;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:Gateway";
+    /**
+     * Returns true if the given object is an instance of Gateway.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Gateway;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.GatewaySpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1.GatewayStatus>;
+    /**
+     * Create a Gateway resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a Gateway resource.
+ */
+export interface GatewayArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.GatewaySpec>;
+}
diff --git a/generated/crds/gateway/v1/gateway.js b/generated/crds/gateway/v1/gateway.js
new file mode 100644
index 0000000..3d1b705
--- /dev/null
+++ b/generated/crds/gateway/v1/gateway.js
@@ -0,0 +1,66 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Gateway = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+class Gateway extends pulumi.CustomResource {
+    /**
+     * Get an existing Gateway resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new Gateway(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of Gateway.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Gateway.__pulumiType;
+    }
+    /**
+     * Create a Gateway resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "Gateway";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:Gateway" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(Gateway.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.Gateway = Gateway;
+/** @internal */
+Gateway.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:Gateway';
diff --git a/generated/crds/gateway/v1/gateway.ts b/generated/crds/gateway/v1/gateway.ts
new file mode 100644
index 0000000..c343420
--- /dev/null
+++ b/generated/crds/gateway/v1/gateway.ts
@@ -0,0 +1,102 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+export class Gateway extends pulumi.CustomResource {
+    /**
+     * Get an existing Gateway resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Gateway {
+        return new Gateway(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:Gateway';
+
+    /**
+     * Returns true if the given object is an instance of Gateway.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Gateway {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Gateway.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.GatewaySpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.GatewayStatus>;
+
+    /**
+     * Create a Gateway resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "Gateway";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:Gateway" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(Gateway.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a Gateway resource.
+ */
+export interface GatewayArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.GatewaySpec>;
+}
diff --git a/generated/crds/gateway/v1/gatewayClass.d.ts b/generated/crds/gateway/v1/gatewayClass.d.ts
new file mode 100644
index 0000000..4e3061a
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClass.d.ts
@@ -0,0 +1,80 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+export declare class GatewayClass extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClass resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClass;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:GatewayClass";
+    /**
+     * Returns true if the given object is an instance of GatewayClass.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayClass;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.GatewayClassSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1.GatewayClassStatus>;
+    /**
+     * Create a GatewayClass resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayClass resource.
+ */
+export interface GatewayClassArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.GatewayClassSpec>;
+}
diff --git a/generated/crds/gateway/v1/gatewayClass.js b/generated/crds/gateway/v1/gatewayClass.js
new file mode 100644
index 0000000..740f515
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClass.js
@@ -0,0 +1,81 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayClass = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+class GatewayClass extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClass resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayClass(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayClass.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClass.__pulumiType;
+    }
+    /**
+     * Create a GatewayClass resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "GatewayClass";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClass" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayClass.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayClass = GatewayClass;
+/** @internal */
+GatewayClass.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayClass';
diff --git a/generated/crds/gateway/v1/gatewayClass.ts b/generated/crds/gateway/v1/gatewayClass.ts
new file mode 100644
index 0000000..419322b
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClass.ts
@@ -0,0 +1,117 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+export class GatewayClass extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClass resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClass {
+        return new GatewayClass(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayClass';
+
+    /**
+     * Returns true if the given object is an instance of GatewayClass.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayClass {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClass.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.GatewayClassSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.GatewayClassStatus>;
+
+    /**
+     * Create a GatewayClass resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "GatewayClass";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClass" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayClass.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayClass resource.
+ */
+export interface GatewayClassArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.GatewayClassSpec>;
+}
diff --git a/generated/crds/gateway/v1/gatewayClassList.d.ts b/generated/crds/gateway/v1/gatewayClassList.d.ts
new file mode 100644
index 0000000..0d85368
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClassList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * GatewayClassList is a list of GatewayClass
+ */
+export declare class GatewayClassList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClassList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:GatewayClassList";
+    /**
+     * Returns true if the given object is an instance of GatewayClassList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayClassList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of gatewayclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1.GatewayClass[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GatewayClassList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a GatewayClassList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayClassList resource.
+ */
+export interface GatewayClassListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of gatewayclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayClass>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClassList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/gatewayClassList.js b/generated/crds/gateway/v1/gatewayClassList.js
new file mode 100644
index 0000000..9e291a7
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClassList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayClassList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * GatewayClassList is a list of GatewayClass
+ */
+class GatewayClassList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayClassList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayClassList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClassList.__pulumiType;
+    }
+    /**
+     * Create a GatewayClassList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GatewayClassList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GatewayClassList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayClassList = GatewayClassList;
+/** @internal */
+GatewayClassList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayClassList';
diff --git a/generated/crds/gateway/v1/gatewayClassList.ts b/generated/crds/gateway/v1/gatewayClassList.ts
new file mode 100644
index 0000000..1d28cb8
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClassList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * GatewayClassList is a list of GatewayClass
+ */
+export class GatewayClassList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClassList {
+        return new GatewayClassList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayClassList';
+
+    /**
+     * Returns true if the given object is an instance of GatewayClassList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayClassList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClassList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of gatewayclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1.GatewayClass[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GatewayClassList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a GatewayClassList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GatewayClassList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GatewayClassList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayClassList resource.
+ */
+export interface GatewayClassListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of gatewayclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayClass>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClassList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/gatewayClassPatch.d.ts b/generated/crds/gateway/v1/gatewayClassPatch.d.ts
new file mode 100644
index 0000000..4856660
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClassPatch.d.ts
@@ -0,0 +1,86 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+export declare class GatewayClassPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClassPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:GatewayClassPatch";
+    /**
+     * Returns true if the given object is an instance of GatewayClassPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayClassPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.GatewayClassSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1.GatewayClassStatusPatch>;
+    /**
+     * Create a GatewayClassPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayClassPatch resource.
+ */
+export interface GatewayClassPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.GatewayClassSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/gatewayClassPatch.js b/generated/crds/gateway/v1/gatewayClassPatch.js
new file mode 100644
index 0000000..62943b8
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClassPatch.js
@@ -0,0 +1,87 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayClassPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+class GatewayClassPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayClassPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayClassPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClassPatch.__pulumiType;
+    }
+    /**
+     * Create a GatewayClassPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "GatewayClass";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayClassPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayClassPatch = GatewayClassPatch;
+/** @internal */
+GatewayClassPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayClassPatch';
diff --git a/generated/crds/gateway/v1/gatewayClassPatch.ts b/generated/crds/gateway/v1/gatewayClassPatch.ts
new file mode 100644
index 0000000..1f3b927
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayClassPatch.ts
@@ -0,0 +1,123 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+export class GatewayClassPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClassPatch {
+        return new GatewayClassPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayClassPatch';
+
+    /**
+     * Returns true if the given object is an instance of GatewayClassPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayClassPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClassPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.GatewayClassSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.GatewayClassStatusPatch>;
+
+    /**
+     * Create a GatewayClassPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "GatewayClass";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayClassPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayClassPatch resource.
+ */
+export interface GatewayClassPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.GatewayClassSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/gatewayList.d.ts b/generated/crds/gateway/v1/gatewayList.d.ts
new file mode 100644
index 0000000..2c56e60
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * GatewayList is a list of Gateway
+ */
+export declare class GatewayList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:GatewayList";
+    /**
+     * Returns true if the given object is an instance of GatewayList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of gateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1.Gateway[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GatewayList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a GatewayList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayList resource.
+ */
+export interface GatewayListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of gateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.Gateway>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/gatewayList.js b/generated/crds/gateway/v1/gatewayList.js
new file mode 100644
index 0000000..6cd6915
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * GatewayList is a list of Gateway
+ */
+class GatewayList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayList.__pulumiType;
+    }
+    /**
+     * Create a GatewayList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GatewayList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GatewayList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayList = GatewayList;
+/** @internal */
+GatewayList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayList';
diff --git a/generated/crds/gateway/v1/gatewayList.ts b/generated/crds/gateway/v1/gatewayList.ts
new file mode 100644
index 0000000..641a54d
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * GatewayList is a list of Gateway
+ */
+export class GatewayList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayList {
+        return new GatewayList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayList';
+
+    /**
+     * Returns true if the given object is an instance of GatewayList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of gateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1.Gateway[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GatewayList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a GatewayList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GatewayList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GatewayList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayList resource.
+ */
+export interface GatewayListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of gateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.Gateway>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/gatewayPatch.d.ts b/generated/crds/gateway/v1/gatewayPatch.d.ts
new file mode 100644
index 0000000..0a13b59
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayPatch.d.ts
@@ -0,0 +1,71 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+export declare class GatewayPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:GatewayPatch";
+    /**
+     * Returns true if the given object is an instance of GatewayPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.GatewaySpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1.GatewayStatusPatch>;
+    /**
+     * Create a GatewayPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayPatch resource.
+ */
+export interface GatewayPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.GatewaySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/gatewayPatch.js b/generated/crds/gateway/v1/gatewayPatch.js
new file mode 100644
index 0000000..6bb24fd
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayPatch.js
@@ -0,0 +1,72 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+class GatewayPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayPatch.__pulumiType;
+    }
+    /**
+     * Create a GatewayPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "Gateway";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayPatch = GatewayPatch;
+/** @internal */
+GatewayPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayPatch';
diff --git a/generated/crds/gateway/v1/gatewayPatch.ts b/generated/crds/gateway/v1/gatewayPatch.ts
new file mode 100644
index 0000000..871d3a2
--- /dev/null
+++ b/generated/crds/gateway/v1/gatewayPatch.ts
@@ -0,0 +1,108 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+export class GatewayPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayPatch {
+        return new GatewayPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GatewayPatch';
+
+    /**
+     * Returns true if the given object is an instance of GatewayPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.GatewaySpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.GatewayStatusPatch>;
+
+    /**
+     * Create a GatewayPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "Gateway";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayPatch resource.
+ */
+export interface GatewayPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.GatewaySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/grpcroute.d.ts b/generated/crds/gateway/v1/grpcroute.d.ts
new file mode 100644
index 0000000..42863ca
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcroute.d.ts
@@ -0,0 +1,90 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * GRPCRoute provides a way to route gRPC requests. This includes the capability
+ * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ * Filters can be used to specify additional processing steps. Backends specify
+ * where matching requests will be routed.
+ *
+ * GRPCRoute falls under extended support within the Gateway API. Within the
+ * following specification, the word "MUST" indicates that an implementation
+ * supporting GRPCRoute must conform to the indicated requirement, but an
+ * implementation not supporting this route type need not follow the requirement
+ * unless explicitly indicated.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ * ALPN. If the implementation does not support this, then it MUST set the
+ * "Accepted" condition to "False" for the affected listener with a reason of
+ * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+ * with an upgrade from HTTP/1.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ * support HTTP/2 over cleartext TCP (h2c,
+ * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ * upgrade from HTTP/1.1, i.e. with prior knowledge
+ * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ * does not support this, then it MUST set the "Accepted" condition to "False"
+ * for the affected listener with a reason of "UnsupportedProtocol".
+ * Implementations MAY also accept HTTP/2 connections with an upgrade from
+ * HTTP/1, i.e. without prior knowledge.
+ */
+export declare class GRPCRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GRPCRoute;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:GRPCRoute";
+    /**
+     * Returns true if the given object is an instance of GRPCRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GRPCRoute;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GRPCRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.GRPCRouteSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1.GRPCRouteStatus>;
+    /**
+     * Create a GRPCRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GRPCRouteArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GRPCRoute resource.
+ */
+export interface GRPCRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GRPCRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1/grpcroute.js b/generated/crds/gateway/v1/grpcroute.js
new file mode 100644
index 0000000..628299e
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcroute.js
@@ -0,0 +1,89 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GRPCRoute = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * GRPCRoute provides a way to route gRPC requests. This includes the capability
+ * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ * Filters can be used to specify additional processing steps. Backends specify
+ * where matching requests will be routed.
+ *
+ * GRPCRoute falls under extended support within the Gateway API. Within the
+ * following specification, the word "MUST" indicates that an implementation
+ * supporting GRPCRoute must conform to the indicated requirement, but an
+ * implementation not supporting this route type need not follow the requirement
+ * unless explicitly indicated.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ * ALPN. If the implementation does not support this, then it MUST set the
+ * "Accepted" condition to "False" for the affected listener with a reason of
+ * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+ * with an upgrade from HTTP/1.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ * support HTTP/2 over cleartext TCP (h2c,
+ * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ * upgrade from HTTP/1.1, i.e. with prior knowledge
+ * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ * does not support this, then it MUST set the "Accepted" condition to "False"
+ * for the affected listener with a reason of "UnsupportedProtocol".
+ * Implementations MAY also accept HTTP/2 connections with an upgrade from
+ * HTTP/1, i.e. without prior knowledge.
+ */
+class GRPCRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GRPCRoute(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GRPCRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GRPCRoute.__pulumiType;
+    }
+    /**
+     * Create a GRPCRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "GRPCRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GRPCRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GRPCRoute = GRPCRoute;
+/** @internal */
+GRPCRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GRPCRoute';
diff --git a/generated/crds/gateway/v1/grpcroute.ts b/generated/crds/gateway/v1/grpcroute.ts
new file mode 100644
index 0000000..4e9a8e7
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcroute.ts
@@ -0,0 +1,125 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * GRPCRoute provides a way to route gRPC requests. This includes the capability
+ * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ * Filters can be used to specify additional processing steps. Backends specify
+ * where matching requests will be routed.
+ *
+ * GRPCRoute falls under extended support within the Gateway API. Within the
+ * following specification, the word "MUST" indicates that an implementation
+ * supporting GRPCRoute must conform to the indicated requirement, but an
+ * implementation not supporting this route type need not follow the requirement
+ * unless explicitly indicated.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ * ALPN. If the implementation does not support this, then it MUST set the
+ * "Accepted" condition to "False" for the affected listener with a reason of
+ * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+ * with an upgrade from HTTP/1.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ * support HTTP/2 over cleartext TCP (h2c,
+ * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ * upgrade from HTTP/1.1, i.e. with prior knowledge
+ * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ * does not support this, then it MUST set the "Accepted" condition to "False"
+ * for the affected listener with a reason of "UnsupportedProtocol".
+ * Implementations MAY also accept HTTP/2 connections with an upgrade from
+ * HTTP/1, i.e. without prior knowledge.
+ */
+export class GRPCRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GRPCRoute {
+        return new GRPCRoute(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GRPCRoute';
+
+    /**
+     * Returns true if the given object is an instance of GRPCRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GRPCRoute {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GRPCRoute.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GRPCRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.GRPCRouteSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.GRPCRouteStatus>;
+
+    /**
+     * Create a GRPCRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GRPCRouteArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "GRPCRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GRPCRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GRPCRoute resource.
+ */
+export interface GRPCRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GRPCRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1/grpcrouteList.d.ts b/generated/crds/gateway/v1/grpcrouteList.d.ts
new file mode 100644
index 0000000..e1ca36c
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcrouteList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * GRPCRouteList is a list of GRPCRoute
+ */
+export declare class GRPCRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GRPCRouteList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:GRPCRouteList";
+    /**
+     * Returns true if the given object is an instance of GRPCRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GRPCRouteList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of grpcroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1.GRPCRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GRPCRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a GRPCRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GRPCRouteListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GRPCRouteList resource.
+ */
+export interface GRPCRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of grpcroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GRPCRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/grpcrouteList.js b/generated/crds/gateway/v1/grpcrouteList.js
new file mode 100644
index 0000000..263c245
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcrouteList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GRPCRouteList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * GRPCRouteList is a list of GRPCRoute
+ */
+class GRPCRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GRPCRouteList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GRPCRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GRPCRouteList.__pulumiType;
+    }
+    /**
+     * Create a GRPCRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GRPCRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GRPCRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GRPCRouteList = GRPCRouteList;
+/** @internal */
+GRPCRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GRPCRouteList';
diff --git a/generated/crds/gateway/v1/grpcrouteList.ts b/generated/crds/gateway/v1/grpcrouteList.ts
new file mode 100644
index 0000000..7d67452
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcrouteList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * GRPCRouteList is a list of GRPCRoute
+ */
+export class GRPCRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GRPCRouteList {
+        return new GRPCRouteList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GRPCRouteList';
+
+    /**
+     * Returns true if the given object is an instance of GRPCRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GRPCRouteList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GRPCRouteList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of grpcroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1.GRPCRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GRPCRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a GRPCRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GRPCRouteListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GRPCRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GRPCRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GRPCRouteList resource.
+ */
+export interface GRPCRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of grpcroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GRPCRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/grpcroutePatch.d.ts b/generated/crds/gateway/v1/grpcroutePatch.d.ts
new file mode 100644
index 0000000..996e5e9
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcroutePatch.d.ts
@@ -0,0 +1,96 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GRPCRoute provides a way to route gRPC requests. This includes the capability
+ * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ * Filters can be used to specify additional processing steps. Backends specify
+ * where matching requests will be routed.
+ *
+ * GRPCRoute falls under extended support within the Gateway API. Within the
+ * following specification, the word "MUST" indicates that an implementation
+ * supporting GRPCRoute must conform to the indicated requirement, but an
+ * implementation not supporting this route type need not follow the requirement
+ * unless explicitly indicated.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ * ALPN. If the implementation does not support this, then it MUST set the
+ * "Accepted" condition to "False" for the affected listener with a reason of
+ * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+ * with an upgrade from HTTP/1.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ * support HTTP/2 over cleartext TCP (h2c,
+ * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ * upgrade from HTTP/1.1, i.e. with prior knowledge
+ * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ * does not support this, then it MUST set the "Accepted" condition to "False"
+ * for the affected listener with a reason of "UnsupportedProtocol".
+ * Implementations MAY also accept HTTP/2 connections with an upgrade from
+ * HTTP/1, i.e. without prior knowledge.
+ */
+export declare class GRPCRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GRPCRoutePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:GRPCRoutePatch";
+    /**
+     * Returns true if the given object is an instance of GRPCRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GRPCRoutePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GRPCRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.GRPCRouteSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1.GRPCRouteStatusPatch>;
+    /**
+     * Create a GRPCRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GRPCRoutePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GRPCRoutePatch resource.
+ */
+export interface GRPCRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GRPCRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/grpcroutePatch.js b/generated/crds/gateway/v1/grpcroutePatch.js
new file mode 100644
index 0000000..dc53a8f
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcroutePatch.js
@@ -0,0 +1,95 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GRPCRoutePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GRPCRoute provides a way to route gRPC requests. This includes the capability
+ * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ * Filters can be used to specify additional processing steps. Backends specify
+ * where matching requests will be routed.
+ *
+ * GRPCRoute falls under extended support within the Gateway API. Within the
+ * following specification, the word "MUST" indicates that an implementation
+ * supporting GRPCRoute must conform to the indicated requirement, but an
+ * implementation not supporting this route type need not follow the requirement
+ * unless explicitly indicated.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ * ALPN. If the implementation does not support this, then it MUST set the
+ * "Accepted" condition to "False" for the affected listener with a reason of
+ * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+ * with an upgrade from HTTP/1.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ * support HTTP/2 over cleartext TCP (h2c,
+ * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ * upgrade from HTTP/1.1, i.e. with prior knowledge
+ * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ * does not support this, then it MUST set the "Accepted" condition to "False"
+ * for the affected listener with a reason of "UnsupportedProtocol".
+ * Implementations MAY also accept HTTP/2 connections with an upgrade from
+ * HTTP/1, i.e. without prior knowledge.
+ */
+class GRPCRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GRPCRoutePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GRPCRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GRPCRoutePatch.__pulumiType;
+    }
+    /**
+     * Create a GRPCRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "GRPCRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GRPCRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GRPCRoutePatch = GRPCRoutePatch;
+/** @internal */
+GRPCRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GRPCRoutePatch';
diff --git a/generated/crds/gateway/v1/grpcroutePatch.ts b/generated/crds/gateway/v1/grpcroutePatch.ts
new file mode 100644
index 0000000..1807eb2
--- /dev/null
+++ b/generated/crds/gateway/v1/grpcroutePatch.ts
@@ -0,0 +1,131 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GRPCRoute provides a way to route gRPC requests. This includes the capability
+ * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ * Filters can be used to specify additional processing steps. Backends specify
+ * where matching requests will be routed.
+ *
+ * GRPCRoute falls under extended support within the Gateway API. Within the
+ * following specification, the word "MUST" indicates that an implementation
+ * supporting GRPCRoute must conform to the indicated requirement, but an
+ * implementation not supporting this route type need not follow the requirement
+ * unless explicitly indicated.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ * ALPN. If the implementation does not support this, then it MUST set the
+ * "Accepted" condition to "False" for the affected listener with a reason of
+ * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+ * with an upgrade from HTTP/1.
+ *
+ * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ * support HTTP/2 over cleartext TCP (h2c,
+ * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ * upgrade from HTTP/1.1, i.e. with prior knowledge
+ * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ * does not support this, then it MUST set the "Accepted" condition to "False"
+ * for the affected listener with a reason of "UnsupportedProtocol".
+ * Implementations MAY also accept HTTP/2 connections with an upgrade from
+ * HTTP/1, i.e. without prior knowledge.
+ */
+export class GRPCRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GRPCRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GRPCRoutePatch {
+        return new GRPCRoutePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:GRPCRoutePatch';
+
+    /**
+     * Returns true if the given object is an instance of GRPCRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GRPCRoutePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GRPCRoutePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GRPCRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.GRPCRouteSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.GRPCRouteStatusPatch>;
+
+    /**
+     * Create a GRPCRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GRPCRoutePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "GRPCRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GRPCRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GRPCRoutePatch resource.
+ */
+export interface GRPCRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GRPCRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/httproute.d.ts b/generated/crds/gateway/v1/httproute.d.ts
new file mode 100644
index 0000000..219e5d5
--- /dev/null
+++ b/generated/crds/gateway/v1/httproute.d.ts
@@ -0,0 +1,67 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+export declare class HTTPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRoute;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:HTTPRoute";
+    /**
+     * Returns true if the given object is an instance of HTTPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is HTTPRoute;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.HTTPRouteSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1.HTTPRouteStatus>;
+    /**
+     * Create a HTTPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRouteArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a HTTPRoute resource.
+ */
+export interface HTTPRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1/httproute.js b/generated/crds/gateway/v1/httproute.js
new file mode 100644
index 0000000..246cd1d
--- /dev/null
+++ b/generated/crds/gateway/v1/httproute.js
@@ -0,0 +1,68 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HTTPRoute = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+class HTTPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new HTTPRoute(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of HTTPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRoute.__pulumiType;
+    }
+    /**
+     * Create a HTTPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "HTTPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoute" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(HTTPRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.HTTPRoute = HTTPRoute;
+/** @internal */
+HTTPRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:HTTPRoute';
diff --git a/generated/crds/gateway/v1/httproute.ts b/generated/crds/gateway/v1/httproute.ts
new file mode 100644
index 0000000..473796d
--- /dev/null
+++ b/generated/crds/gateway/v1/httproute.ts
@@ -0,0 +1,104 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+export class HTTPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRoute {
+        return new HTTPRoute(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:HTTPRoute';
+
+    /**
+     * Returns true if the given object is an instance of HTTPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is HTTPRoute {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRoute.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.HTTPRouteSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.HTTPRouteStatus>;
+
+    /**
+     * Create a HTTPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRouteArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "HTTPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoute" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(HTTPRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a HTTPRoute resource.
+ */
+export interface HTTPRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1/httprouteList.d.ts b/generated/crds/gateway/v1/httprouteList.d.ts
new file mode 100644
index 0000000..8a99d2e
--- /dev/null
+++ b/generated/crds/gateway/v1/httprouteList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * HTTPRouteList is a list of HTTPRoute
+ */
+export declare class HTTPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRouteList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:HTTPRouteList";
+    /**
+     * Returns true if the given object is an instance of HTTPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is HTTPRouteList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of httproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1.HTTPRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"HTTPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a HTTPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRouteListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a HTTPRouteList resource.
+ */
+export interface HTTPRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of httproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/httprouteList.js b/generated/crds/gateway/v1/httprouteList.js
new file mode 100644
index 0000000..7d92e57
--- /dev/null
+++ b/generated/crds/gateway/v1/httprouteList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HTTPRouteList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * HTTPRouteList is a list of HTTPRoute
+ */
+class HTTPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new HTTPRouteList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of HTTPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRouteList.__pulumiType;
+    }
+    /**
+     * Create a HTTPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "HTTPRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(HTTPRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.HTTPRouteList = HTTPRouteList;
+/** @internal */
+HTTPRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:HTTPRouteList';
diff --git a/generated/crds/gateway/v1/httprouteList.ts b/generated/crds/gateway/v1/httprouteList.ts
new file mode 100644
index 0000000..44c4c04
--- /dev/null
+++ b/generated/crds/gateway/v1/httprouteList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * HTTPRouteList is a list of HTTPRoute
+ */
+export class HTTPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRouteList {
+        return new HTTPRouteList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:HTTPRouteList';
+
+    /**
+     * Returns true if the given object is an instance of HTTPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is HTTPRouteList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRouteList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of httproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1.HTTPRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"HTTPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a HTTPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRouteListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "HTTPRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(HTTPRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a HTTPRouteList resource.
+ */
+export interface HTTPRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * List of httproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1/httproutePatch.d.ts b/generated/crds/gateway/v1/httproutePatch.d.ts
new file mode 100644
index 0000000..f67e057
--- /dev/null
+++ b/generated/crds/gateway/v1/httproutePatch.d.ts
@@ -0,0 +1,73 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+export declare class HTTPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRoutePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1:HTTPRoutePatch";
+    /**
+     * Returns true if the given object is an instance of HTTPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is HTTPRoutePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1.HTTPRouteSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1.HTTPRouteStatusPatch>;
+    /**
+     * Create a HTTPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRoutePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a HTTPRoutePatch resource.
+ */
+export interface HTTPRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/httproutePatch.js b/generated/crds/gateway/v1/httproutePatch.js
new file mode 100644
index 0000000..5021501
--- /dev/null
+++ b/generated/crds/gateway/v1/httproutePatch.js
@@ -0,0 +1,74 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HTTPRoutePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+class HTTPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new HTTPRoutePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of HTTPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRoutePatch.__pulumiType;
+    }
+    /**
+     * Create a HTTPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "HTTPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoutePatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(HTTPRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.HTTPRoutePatch = HTTPRoutePatch;
+/** @internal */
+HTTPRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:HTTPRoutePatch';
diff --git a/generated/crds/gateway/v1/httproutePatch.ts b/generated/crds/gateway/v1/httproutePatch.ts
new file mode 100644
index 0000000..eefd535
--- /dev/null
+++ b/generated/crds/gateway/v1/httproutePatch.ts
@@ -0,0 +1,110 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+export class HTTPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRoutePatch {
+        return new HTTPRoutePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1:HTTPRoutePatch';
+
+    /**
+     * Returns true if the given object is an instance of HTTPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is HTTPRoutePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRoutePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1.HTTPRouteSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1.HTTPRouteStatusPatch>;
+
+    /**
+     * Create a HTTPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRoutePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1";
+            resourceInputs["kind"] = "HTTPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoutePatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(HTTPRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a HTTPRoutePatch resource.
+ */
+export interface HTTPRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1/index.d.ts b/generated/crds/gateway/v1/index.d.ts
new file mode 100644
index 0000000..6ef6dd9
--- /dev/null
+++ b/generated/crds/gateway/v1/index.d.ts
@@ -0,0 +1,45 @@
+export { BackendTLSPolicyArgs } from "./backendTLSPolicy";
+export type BackendTLSPolicy = import("./backendTLSPolicy").BackendTLSPolicy;
+export declare const BackendTLSPolicy: typeof import("./backendTLSPolicy").BackendTLSPolicy;
+export { BackendTLSPolicyListArgs } from "./backendTLSPolicyList";
+export type BackendTLSPolicyList = import("./backendTLSPolicyList").BackendTLSPolicyList;
+export declare const BackendTLSPolicyList: typeof import("./backendTLSPolicyList").BackendTLSPolicyList;
+export { BackendTLSPolicyPatchArgs } from "./backendTLSPolicyPatch";
+export type BackendTLSPolicyPatch = import("./backendTLSPolicyPatch").BackendTLSPolicyPatch;
+export declare const BackendTLSPolicyPatch: typeof import("./backendTLSPolicyPatch").BackendTLSPolicyPatch;
+export { GatewayArgs } from "./gateway";
+export type Gateway = import("./gateway").Gateway;
+export declare const Gateway: typeof import("./gateway").Gateway;
+export { GatewayClassArgs } from "./gatewayClass";
+export type GatewayClass = import("./gatewayClass").GatewayClass;
+export declare const GatewayClass: typeof import("./gatewayClass").GatewayClass;
+export { GatewayClassListArgs } from "./gatewayClassList";
+export type GatewayClassList = import("./gatewayClassList").GatewayClassList;
+export declare const GatewayClassList: typeof import("./gatewayClassList").GatewayClassList;
+export { GatewayClassPatchArgs } from "./gatewayClassPatch";
+export type GatewayClassPatch = import("./gatewayClassPatch").GatewayClassPatch;
+export declare const GatewayClassPatch: typeof import("./gatewayClassPatch").GatewayClassPatch;
+export { GatewayListArgs } from "./gatewayList";
+export type GatewayList = import("./gatewayList").GatewayList;
+export declare const GatewayList: typeof import("./gatewayList").GatewayList;
+export { GatewayPatchArgs } from "./gatewayPatch";
+export type GatewayPatch = import("./gatewayPatch").GatewayPatch;
+export declare const GatewayPatch: typeof import("./gatewayPatch").GatewayPatch;
+export { GRPCRouteArgs } from "./grpcroute";
+export type GRPCRoute = import("./grpcroute").GRPCRoute;
+export declare const GRPCRoute: typeof import("./grpcroute").GRPCRoute;
+export { GRPCRouteListArgs } from "./grpcrouteList";
+export type GRPCRouteList = import("./grpcrouteList").GRPCRouteList;
+export declare const GRPCRouteList: typeof import("./grpcrouteList").GRPCRouteList;
+export { GRPCRoutePatchArgs } from "./grpcroutePatch";
+export type GRPCRoutePatch = import("./grpcroutePatch").GRPCRoutePatch;
+export declare const GRPCRoutePatch: typeof import("./grpcroutePatch").GRPCRoutePatch;
+export { HTTPRouteArgs } from "./httproute";
+export type HTTPRoute = import("./httproute").HTTPRoute;
+export declare const HTTPRoute: typeof import("./httproute").HTTPRoute;
+export { HTTPRouteListArgs } from "./httprouteList";
+export type HTTPRouteList = import("./httprouteList").HTTPRouteList;
+export declare const HTTPRouteList: typeof import("./httprouteList").HTTPRouteList;
+export { HTTPRoutePatchArgs } from "./httproutePatch";
+export type HTTPRoutePatch = import("./httproutePatch").HTTPRoutePatch;
+export declare const HTTPRoutePatch: typeof import("./httproutePatch").HTTPRoutePatch;
diff --git a/generated/crds/gateway/v1/index.js b/generated/crds/gateway/v1/index.js
new file mode 100644
index 0000000..3d3147f
--- /dev/null
+++ b/generated/crds/gateway/v1/index.js
@@ -0,0 +1,77 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HTTPRoutePatch = exports.HTTPRouteList = exports.HTTPRoute = exports.GRPCRoutePatch = exports.GRPCRouteList = exports.GRPCRoute = exports.GatewayPatch = exports.GatewayList = exports.GatewayClassPatch = exports.GatewayClassList = exports.GatewayClass = exports.Gateway = exports.BackendTLSPolicyPatch = exports.BackendTLSPolicyList = exports.BackendTLSPolicy = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+exports.BackendTLSPolicy = null;
+utilities.lazyLoad(exports, ["BackendTLSPolicy"], () => require("./backendTLSPolicy"));
+exports.BackendTLSPolicyList = null;
+utilities.lazyLoad(exports, ["BackendTLSPolicyList"], () => require("./backendTLSPolicyList"));
+exports.BackendTLSPolicyPatch = null;
+utilities.lazyLoad(exports, ["BackendTLSPolicyPatch"], () => require("./backendTLSPolicyPatch"));
+exports.Gateway = null;
+utilities.lazyLoad(exports, ["Gateway"], () => require("./gateway"));
+exports.GatewayClass = null;
+utilities.lazyLoad(exports, ["GatewayClass"], () => require("./gatewayClass"));
+exports.GatewayClassList = null;
+utilities.lazyLoad(exports, ["GatewayClassList"], () => require("./gatewayClassList"));
+exports.GatewayClassPatch = null;
+utilities.lazyLoad(exports, ["GatewayClassPatch"], () => require("./gatewayClassPatch"));
+exports.GatewayList = null;
+utilities.lazyLoad(exports, ["GatewayList"], () => require("./gatewayList"));
+exports.GatewayPatch = null;
+utilities.lazyLoad(exports, ["GatewayPatch"], () => require("./gatewayPatch"));
+exports.GRPCRoute = null;
+utilities.lazyLoad(exports, ["GRPCRoute"], () => require("./grpcroute"));
+exports.GRPCRouteList = null;
+utilities.lazyLoad(exports, ["GRPCRouteList"], () => require("./grpcrouteList"));
+exports.GRPCRoutePatch = null;
+utilities.lazyLoad(exports, ["GRPCRoutePatch"], () => require("./grpcroutePatch"));
+exports.HTTPRoute = null;
+utilities.lazyLoad(exports, ["HTTPRoute"], () => require("./httproute"));
+exports.HTTPRouteList = null;
+utilities.lazyLoad(exports, ["HTTPRouteList"], () => require("./httprouteList"));
+exports.HTTPRoutePatch = null;
+utilities.lazyLoad(exports, ["HTTPRoutePatch"], () => require("./httproutePatch"));
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name, type, urn) => {
+        switch (type) {
+            case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy":
+                return new exports.BackendTLSPolicy(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList":
+                return new exports.BackendTLSPolicyList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch":
+                return new exports.BackendTLSPolicyPatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:GRPCRoute":
+                return new exports.GRPCRoute(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:GRPCRouteList":
+                return new exports.GRPCRouteList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:GRPCRoutePatch":
+                return new exports.GRPCRoutePatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:Gateway":
+                return new exports.Gateway(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayClass":
+                return new exports.GatewayClass(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayClassList":
+                return new exports.GatewayClassList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayClassPatch":
+                return new exports.GatewayClassPatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayList":
+                return new exports.GatewayList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayPatch":
+                return new exports.GatewayPatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:HTTPRoute":
+                return new exports.HTTPRoute(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:HTTPRouteList":
+                return new exports.HTTPRouteList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1:HTTPRoutePatch":
+                return new exports.HTTPRoutePatch(name, undefined, { urn });
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.k8s.io/v1", _module);
diff --git a/generated/crds/gateway/v1/index.ts b/generated/crds/gateway/v1/index.ts
new file mode 100644
index 0000000..6df6065
--- /dev/null
+++ b/generated/crds/gateway/v1/index.ts
@@ -0,0 +1,123 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../../utilities";
+
+// Export members:
+export { BackendTLSPolicyArgs } from "./backendTLSPolicy";
+export type BackendTLSPolicy = import("./backendTLSPolicy").BackendTLSPolicy;
+export const BackendTLSPolicy: typeof import("./backendTLSPolicy").BackendTLSPolicy = null as any;
+utilities.lazyLoad(exports, ["BackendTLSPolicy"], () => require("./backendTLSPolicy"));
+
+export { BackendTLSPolicyListArgs } from "./backendTLSPolicyList";
+export type BackendTLSPolicyList = import("./backendTLSPolicyList").BackendTLSPolicyList;
+export const BackendTLSPolicyList: typeof import("./backendTLSPolicyList").BackendTLSPolicyList = null as any;
+utilities.lazyLoad(exports, ["BackendTLSPolicyList"], () => require("./backendTLSPolicyList"));
+
+export { BackendTLSPolicyPatchArgs } from "./backendTLSPolicyPatch";
+export type BackendTLSPolicyPatch = import("./backendTLSPolicyPatch").BackendTLSPolicyPatch;
+export const BackendTLSPolicyPatch: typeof import("./backendTLSPolicyPatch").BackendTLSPolicyPatch = null as any;
+utilities.lazyLoad(exports, ["BackendTLSPolicyPatch"], () => require("./backendTLSPolicyPatch"));
+
+export { GatewayArgs } from "./gateway";
+export type Gateway = import("./gateway").Gateway;
+export const Gateway: typeof import("./gateway").Gateway = null as any;
+utilities.lazyLoad(exports, ["Gateway"], () => require("./gateway"));
+
+export { GatewayClassArgs } from "./gatewayClass";
+export type GatewayClass = import("./gatewayClass").GatewayClass;
+export const GatewayClass: typeof import("./gatewayClass").GatewayClass = null as any;
+utilities.lazyLoad(exports, ["GatewayClass"], () => require("./gatewayClass"));
+
+export { GatewayClassListArgs } from "./gatewayClassList";
+export type GatewayClassList = import("./gatewayClassList").GatewayClassList;
+export const GatewayClassList: typeof import("./gatewayClassList").GatewayClassList = null as any;
+utilities.lazyLoad(exports, ["GatewayClassList"], () => require("./gatewayClassList"));
+
+export { GatewayClassPatchArgs } from "./gatewayClassPatch";
+export type GatewayClassPatch = import("./gatewayClassPatch").GatewayClassPatch;
+export const GatewayClassPatch: typeof import("./gatewayClassPatch").GatewayClassPatch = null as any;
+utilities.lazyLoad(exports, ["GatewayClassPatch"], () => require("./gatewayClassPatch"));
+
+export { GatewayListArgs } from "./gatewayList";
+export type GatewayList = import("./gatewayList").GatewayList;
+export const GatewayList: typeof import("./gatewayList").GatewayList = null as any;
+utilities.lazyLoad(exports, ["GatewayList"], () => require("./gatewayList"));
+
+export { GatewayPatchArgs } from "./gatewayPatch";
+export type GatewayPatch = import("./gatewayPatch").GatewayPatch;
+export const GatewayPatch: typeof import("./gatewayPatch").GatewayPatch = null as any;
+utilities.lazyLoad(exports, ["GatewayPatch"], () => require("./gatewayPatch"));
+
+export { GRPCRouteArgs } from "./grpcroute";
+export type GRPCRoute = import("./grpcroute").GRPCRoute;
+export const GRPCRoute: typeof import("./grpcroute").GRPCRoute = null as any;
+utilities.lazyLoad(exports, ["GRPCRoute"], () => require("./grpcroute"));
+
+export { GRPCRouteListArgs } from "./grpcrouteList";
+export type GRPCRouteList = import("./grpcrouteList").GRPCRouteList;
+export const GRPCRouteList: typeof import("./grpcrouteList").GRPCRouteList = null as any;
+utilities.lazyLoad(exports, ["GRPCRouteList"], () => require("./grpcrouteList"));
+
+export { GRPCRoutePatchArgs } from "./grpcroutePatch";
+export type GRPCRoutePatch = import("./grpcroutePatch").GRPCRoutePatch;
+export const GRPCRoutePatch: typeof import("./grpcroutePatch").GRPCRoutePatch = null as any;
+utilities.lazyLoad(exports, ["GRPCRoutePatch"], () => require("./grpcroutePatch"));
+
+export { HTTPRouteArgs } from "./httproute";
+export type HTTPRoute = import("./httproute").HTTPRoute;
+export const HTTPRoute: typeof import("./httproute").HTTPRoute = null as any;
+utilities.lazyLoad(exports, ["HTTPRoute"], () => require("./httproute"));
+
+export { HTTPRouteListArgs } from "./httprouteList";
+export type HTTPRouteList = import("./httprouteList").HTTPRouteList;
+export const HTTPRouteList: typeof import("./httprouteList").HTTPRouteList = null as any;
+utilities.lazyLoad(exports, ["HTTPRouteList"], () => require("./httprouteList"));
+
+export { HTTPRoutePatchArgs } from "./httproutePatch";
+export type HTTPRoutePatch = import("./httproutePatch").HTTPRoutePatch;
+export const HTTPRoutePatch: typeof import("./httproutePatch").HTTPRoutePatch = null as any;
+utilities.lazyLoad(exports, ["HTTPRoutePatch"], () => require("./httproutePatch"));
+
+
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name: string, type: string, urn: string): pulumi.Resource => {
+        switch (type) {
+            case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy":
+                return new BackendTLSPolicy(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyList":
+                return new BackendTLSPolicyList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch":
+                return new BackendTLSPolicyPatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:GRPCRoute":
+                return new GRPCRoute(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:GRPCRouteList":
+                return new GRPCRouteList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:GRPCRoutePatch":
+                return new GRPCRoutePatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:Gateway":
+                return new Gateway(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayClass":
+                return new GatewayClass(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayClassList":
+                return new GatewayClassList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayClassPatch":
+                return new GatewayClassPatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayList":
+                return new GatewayList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:GatewayPatch":
+                return new GatewayPatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:HTTPRoute":
+                return new HTTPRoute(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:HTTPRouteList":
+                return new HTTPRouteList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1:HTTPRoutePatch":
+                return new HTTPRoutePatch(name, <any>undefined, { urn })
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.k8s.io/v1", _module)
diff --git a/generated/crds/gateway/v1alpha1/index.d.ts b/generated/crds/gateway/v1alpha1/index.d.ts
new file mode 100644
index 0000000..c25dcc0
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/index.d.ts
@@ -0,0 +1,27 @@
+export { XBackendTrafficPolicyArgs } from "./xbackendTrafficPolicy";
+export type XBackendTrafficPolicy = import("./xbackendTrafficPolicy").XBackendTrafficPolicy;
+export declare const XBackendTrafficPolicy: typeof import("./xbackendTrafficPolicy").XBackendTrafficPolicy;
+export { XBackendTrafficPolicyListArgs } from "./xbackendTrafficPolicyList";
+export type XBackendTrafficPolicyList = import("./xbackendTrafficPolicyList").XBackendTrafficPolicyList;
+export declare const XBackendTrafficPolicyList: typeof import("./xbackendTrafficPolicyList").XBackendTrafficPolicyList;
+export { XBackendTrafficPolicyPatchArgs } from "./xbackendTrafficPolicyPatch";
+export type XBackendTrafficPolicyPatch = import("./xbackendTrafficPolicyPatch").XBackendTrafficPolicyPatch;
+export declare const XBackendTrafficPolicyPatch: typeof import("./xbackendTrafficPolicyPatch").XBackendTrafficPolicyPatch;
+export { XListenerSetArgs } from "./xlistenerSet";
+export type XListenerSet = import("./xlistenerSet").XListenerSet;
+export declare const XListenerSet: typeof import("./xlistenerSet").XListenerSet;
+export { XListenerSetListArgs } from "./xlistenerSetList";
+export type XListenerSetList = import("./xlistenerSetList").XListenerSetList;
+export declare const XListenerSetList: typeof import("./xlistenerSetList").XListenerSetList;
+export { XListenerSetPatchArgs } from "./xlistenerSetPatch";
+export type XListenerSetPatch = import("./xlistenerSetPatch").XListenerSetPatch;
+export declare const XListenerSetPatch: typeof import("./xlistenerSetPatch").XListenerSetPatch;
+export { XMeshArgs } from "./xmesh";
+export type XMesh = import("./xmesh").XMesh;
+export declare const XMesh: typeof import("./xmesh").XMesh;
+export { XMeshListArgs } from "./xmeshList";
+export type XMeshList = import("./xmeshList").XMeshList;
+export declare const XMeshList: typeof import("./xmeshList").XMeshList;
+export { XMeshPatchArgs } from "./xmeshPatch";
+export type XMeshPatch = import("./xmeshPatch").XMeshPatch;
+export declare const XMeshPatch: typeof import("./xmeshPatch").XMeshPatch;
diff --git a/generated/crds/gateway/v1alpha1/index.js b/generated/crds/gateway/v1alpha1/index.js
new file mode 100644
index 0000000..75e3ad1
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/index.js
@@ -0,0 +1,53 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XMeshPatch = exports.XMeshList = exports.XMesh = exports.XListenerSetPatch = exports.XListenerSetList = exports.XListenerSet = exports.XBackendTrafficPolicyPatch = exports.XBackendTrafficPolicyList = exports.XBackendTrafficPolicy = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+exports.XBackendTrafficPolicy = null;
+utilities.lazyLoad(exports, ["XBackendTrafficPolicy"], () => require("./xbackendTrafficPolicy"));
+exports.XBackendTrafficPolicyList = null;
+utilities.lazyLoad(exports, ["XBackendTrafficPolicyList"], () => require("./xbackendTrafficPolicyList"));
+exports.XBackendTrafficPolicyPatch = null;
+utilities.lazyLoad(exports, ["XBackendTrafficPolicyPatch"], () => require("./xbackendTrafficPolicyPatch"));
+exports.XListenerSet = null;
+utilities.lazyLoad(exports, ["XListenerSet"], () => require("./xlistenerSet"));
+exports.XListenerSetList = null;
+utilities.lazyLoad(exports, ["XListenerSetList"], () => require("./xlistenerSetList"));
+exports.XListenerSetPatch = null;
+utilities.lazyLoad(exports, ["XListenerSetPatch"], () => require("./xlistenerSetPatch"));
+exports.XMesh = null;
+utilities.lazyLoad(exports, ["XMesh"], () => require("./xmesh"));
+exports.XMeshList = null;
+utilities.lazyLoad(exports, ["XMeshList"], () => require("./xmeshList"));
+exports.XMeshPatch = null;
+utilities.lazyLoad(exports, ["XMeshPatch"], () => require("./xmeshPatch"));
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name, type, urn) => {
+        switch (type) {
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy":
+                return new exports.XBackendTrafficPolicy(name, undefined, { urn });
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList":
+                return new exports.XBackendTrafficPolicyList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch":
+                return new exports.XBackendTrafficPolicyPatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet":
+                return new exports.XListenerSet(name, undefined, { urn });
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList":
+                return new exports.XListenerSetList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch":
+                return new exports.XListenerSetPatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh":
+                return new exports.XMesh(name, undefined, { urn });
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList":
+                return new exports.XMeshList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch":
+                return new exports.XMeshPatch(name, undefined, { urn });
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.x-k8s.io/v1alpha1", _module);
diff --git a/generated/crds/gateway/v1alpha1/index.ts b/generated/crds/gateway/v1alpha1/index.ts
new file mode 100644
index 0000000..fad4e1a
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/index.ts
@@ -0,0 +1,81 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../../utilities";
+
+// Export members:
+export { XBackendTrafficPolicyArgs } from "./xbackendTrafficPolicy";
+export type XBackendTrafficPolicy = import("./xbackendTrafficPolicy").XBackendTrafficPolicy;
+export const XBackendTrafficPolicy: typeof import("./xbackendTrafficPolicy").XBackendTrafficPolicy = null as any;
+utilities.lazyLoad(exports, ["XBackendTrafficPolicy"], () => require("./xbackendTrafficPolicy"));
+
+export { XBackendTrafficPolicyListArgs } from "./xbackendTrafficPolicyList";
+export type XBackendTrafficPolicyList = import("./xbackendTrafficPolicyList").XBackendTrafficPolicyList;
+export const XBackendTrafficPolicyList: typeof import("./xbackendTrafficPolicyList").XBackendTrafficPolicyList = null as any;
+utilities.lazyLoad(exports, ["XBackendTrafficPolicyList"], () => require("./xbackendTrafficPolicyList"));
+
+export { XBackendTrafficPolicyPatchArgs } from "./xbackendTrafficPolicyPatch";
+export type XBackendTrafficPolicyPatch = import("./xbackendTrafficPolicyPatch").XBackendTrafficPolicyPatch;
+export const XBackendTrafficPolicyPatch: typeof import("./xbackendTrafficPolicyPatch").XBackendTrafficPolicyPatch = null as any;
+utilities.lazyLoad(exports, ["XBackendTrafficPolicyPatch"], () => require("./xbackendTrafficPolicyPatch"));
+
+export { XListenerSetArgs } from "./xlistenerSet";
+export type XListenerSet = import("./xlistenerSet").XListenerSet;
+export const XListenerSet: typeof import("./xlistenerSet").XListenerSet = null as any;
+utilities.lazyLoad(exports, ["XListenerSet"], () => require("./xlistenerSet"));
+
+export { XListenerSetListArgs } from "./xlistenerSetList";
+export type XListenerSetList = import("./xlistenerSetList").XListenerSetList;
+export const XListenerSetList: typeof import("./xlistenerSetList").XListenerSetList = null as any;
+utilities.lazyLoad(exports, ["XListenerSetList"], () => require("./xlistenerSetList"));
+
+export { XListenerSetPatchArgs } from "./xlistenerSetPatch";
+export type XListenerSetPatch = import("./xlistenerSetPatch").XListenerSetPatch;
+export const XListenerSetPatch: typeof import("./xlistenerSetPatch").XListenerSetPatch = null as any;
+utilities.lazyLoad(exports, ["XListenerSetPatch"], () => require("./xlistenerSetPatch"));
+
+export { XMeshArgs } from "./xmesh";
+export type XMesh = import("./xmesh").XMesh;
+export const XMesh: typeof import("./xmesh").XMesh = null as any;
+utilities.lazyLoad(exports, ["XMesh"], () => require("./xmesh"));
+
+export { XMeshListArgs } from "./xmeshList";
+export type XMeshList = import("./xmeshList").XMeshList;
+export const XMeshList: typeof import("./xmeshList").XMeshList = null as any;
+utilities.lazyLoad(exports, ["XMeshList"], () => require("./xmeshList"));
+
+export { XMeshPatchArgs } from "./xmeshPatch";
+export type XMeshPatch = import("./xmeshPatch").XMeshPatch;
+export const XMeshPatch: typeof import("./xmeshPatch").XMeshPatch = null as any;
+utilities.lazyLoad(exports, ["XMeshPatch"], () => require("./xmeshPatch"));
+
+
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name: string, type: string, urn: string): pulumi.Resource => {
+        switch (type) {
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy":
+                return new XBackendTrafficPolicy(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList":
+                return new XBackendTrafficPolicyList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch":
+                return new XBackendTrafficPolicyPatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet":
+                return new XListenerSet(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList":
+                return new XListenerSetList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch":
+                return new XListenerSetPatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh":
+                return new XMesh(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList":
+                return new XMeshList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch":
+                return new XMeshPatch(name, <any>undefined, { urn })
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.x-k8s.io/v1alpha1", _module)
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.d.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.d.ts
new file mode 100644
index 0000000..2499b52
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.d.ts
@@ -0,0 +1,65 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * XBackendTrafficPolicy defines the configuration for how traffic to a
+ * target backend should be handled.
+ */
+export declare class XBackendTrafficPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicy;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy";
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XBackendTrafficPolicy;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XBackendTrafficPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicySpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicyStatus>;
+    /**
+     * Create a XBackendTrafficPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XBackendTrafficPolicyArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XBackendTrafficPolicy resource.
+ */
+export interface XBackendTrafficPolicyArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XBackendTrafficPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpec>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.js b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.js
new file mode 100644
index 0000000..13ab344
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XBackendTrafficPolicy = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * XBackendTrafficPolicy defines the configuration for how traffic to a
+ * target backend should be handled.
+ */
+class XBackendTrafficPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XBackendTrafficPolicy(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XBackendTrafficPolicy.__pulumiType;
+    }
+    /**
+     * Create a XBackendTrafficPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XBackendTrafficPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XBackendTrafficPolicy.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XBackendTrafficPolicy = XBackendTrafficPolicy;
+/** @internal */
+XBackendTrafficPolicy.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy';
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.ts
new file mode 100644
index 0000000..471cb7f
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicy.ts
@@ -0,0 +1,100 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * XBackendTrafficPolicy defines the configuration for how traffic to a
+ * target backend should be handled.
+ */
+export class XBackendTrafficPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicy {
+        return new XBackendTrafficPolicy(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicy';
+
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XBackendTrafficPolicy {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XBackendTrafficPolicy.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XBackendTrafficPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicySpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicyStatus>;
+
+    /**
+     * Create a XBackendTrafficPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XBackendTrafficPolicyArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XBackendTrafficPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XBackendTrafficPolicy.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XBackendTrafficPolicy resource.
+ */
+export interface XBackendTrafficPolicyArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XBackendTrafficPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpec>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.d.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.d.ts
new file mode 100644
index 0000000..af63b79
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * XBackendTrafficPolicyList is a list of XBackendTrafficPolicy
+ */
+export declare class XBackendTrafficPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicyList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList";
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XBackendTrafficPolicyList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xbackendtrafficpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicy[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XBackendTrafficPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a XBackendTrafficPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XBackendTrafficPolicyListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XBackendTrafficPolicyList resource.
+ */
+export interface XBackendTrafficPolicyListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xbackendtrafficpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicy>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XBackendTrafficPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.js b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.js
new file mode 100644
index 0000000..0d96f86
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XBackendTrafficPolicyList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * XBackendTrafficPolicyList is a list of XBackendTrafficPolicy
+ */
+class XBackendTrafficPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XBackendTrafficPolicyList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XBackendTrafficPolicyList.__pulumiType;
+    }
+    /**
+     * Create a XBackendTrafficPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "XBackendTrafficPolicyList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XBackendTrafficPolicyList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XBackendTrafficPolicyList = XBackendTrafficPolicyList;
+/** @internal */
+XBackendTrafficPolicyList.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList';
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.ts
new file mode 100644
index 0000000..a12df0e
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * XBackendTrafficPolicyList is a list of XBackendTrafficPolicy
+ */
+export class XBackendTrafficPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicyList {
+        return new XBackendTrafficPolicyList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyList';
+
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XBackendTrafficPolicyList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XBackendTrafficPolicyList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xbackendtrafficpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicy[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XBackendTrafficPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a XBackendTrafficPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XBackendTrafficPolicyListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "XBackendTrafficPolicyList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XBackendTrafficPolicyList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XBackendTrafficPolicyList resource.
+ */
+export interface XBackendTrafficPolicyListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xbackendtrafficpolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicy>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XBackendTrafficPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.d.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.d.ts
new file mode 100644
index 0000000..9810e7a
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.d.ts
@@ -0,0 +1,71 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XBackendTrafficPolicy defines the configuration for how traffic to a
+ * target backend should be handled.
+ */
+export declare class XBackendTrafficPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicyPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch";
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XBackendTrafficPolicyPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XBackendTrafficPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicySpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusPatch>;
+    /**
+     * Create a XBackendTrafficPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XBackendTrafficPolicyPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XBackendTrafficPolicyPatch resource.
+ */
+export interface XBackendTrafficPolicyPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XBackendTrafficPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.js b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.js
new file mode 100644
index 0000000..027697c
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.js
@@ -0,0 +1,70 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XBackendTrafficPolicyPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XBackendTrafficPolicy defines the configuration for how traffic to a
+ * target backend should be handled.
+ */
+class XBackendTrafficPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XBackendTrafficPolicyPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XBackendTrafficPolicyPatch.__pulumiType;
+    }
+    /**
+     * Create a XBackendTrafficPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XBackendTrafficPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XBackendTrafficPolicyPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XBackendTrafficPolicyPatch = XBackendTrafficPolicyPatch;
+/** @internal */
+XBackendTrafficPolicyPatch.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch';
diff --git a/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.ts b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.ts
new file mode 100644
index 0000000..de47d3c
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xbackendTrafficPolicyPatch.ts
@@ -0,0 +1,106 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XBackendTrafficPolicy defines the configuration for how traffic to a
+ * target backend should be handled.
+ */
+export class XBackendTrafficPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XBackendTrafficPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XBackendTrafficPolicyPatch {
+        return new XBackendTrafficPolicyPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XBackendTrafficPolicyPatch';
+
+    /**
+     * Returns true if the given object is an instance of XBackendTrafficPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XBackendTrafficPolicyPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XBackendTrafficPolicyPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XBackendTrafficPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicySpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusPatch>;
+
+    /**
+     * Create a XBackendTrafficPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XBackendTrafficPolicyPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XBackendTrafficPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XBackendTrafficPolicyPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XBackendTrafficPolicyPatch resource.
+ */
+export interface XBackendTrafficPolicyPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XBackendTrafficPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSet.d.ts b/generated/crds/gateway/v1alpha1/xlistenerSet.d.ts
new file mode 100644
index 0000000..56dac3a
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSet.d.ts
@@ -0,0 +1,90 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+ *
+ * The parent Gateway must explicitly allow ListenerSet attachment through its
+ * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ * attachment.
+ *
+ * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ * optionally target specific listeners using the sectionName field.
+ *
+ * Policy Attachment:
+ * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ * - Policies do not impact listeners in the parent Gateway
+ * - Different ListenerSets attached to the same Gateway can have different policies
+ * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+ *
+ * ReferenceGrant Semantics:
+ * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+ *
+ * Gateway Integration:
+ * - The parent Gateway's status will include an "AttachedListenerSets" condition
+ * - This condition will be:
+ *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+ *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+ *   - Unknown: when no AllowedListeners config is present
+ */
+export declare class XListenerSet extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSet resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XListenerSet;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet";
+    /**
+     * Returns true if the given object is an instance of XListenerSet.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XListenerSet;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XListenerSet">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha1.XListenerSetSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha1.XListenerSetStatus>;
+    /**
+     * Create a XListenerSet resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XListenerSetArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XListenerSet resource.
+ */
+export interface XListenerSetArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XListenerSet">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSet.js b/generated/crds/gateway/v1alpha1/xlistenerSet.js
new file mode 100644
index 0000000..92c6b15
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSet.js
@@ -0,0 +1,89 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XListenerSet = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+ *
+ * The parent Gateway must explicitly allow ListenerSet attachment through its
+ * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ * attachment.
+ *
+ * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ * optionally target specific listeners using the sectionName field.
+ *
+ * Policy Attachment:
+ * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ * - Policies do not impact listeners in the parent Gateway
+ * - Different ListenerSets attached to the same Gateway can have different policies
+ * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+ *
+ * ReferenceGrant Semantics:
+ * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+ *
+ * Gateway Integration:
+ * - The parent Gateway's status will include an "AttachedListenerSets" condition
+ * - This condition will be:
+ *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+ *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+ *   - Unknown: when no AllowedListeners config is present
+ */
+class XListenerSet extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSet resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XListenerSet(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XListenerSet.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XListenerSet.__pulumiType;
+    }
+    /**
+     * Create a XListenerSet resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XListenerSet";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XListenerSet.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XListenerSet = XListenerSet;
+/** @internal */
+XListenerSet.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet';
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSet.ts b/generated/crds/gateway/v1alpha1/xlistenerSet.ts
new file mode 100644
index 0000000..a2e8757
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSet.ts
@@ -0,0 +1,125 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+ *
+ * The parent Gateway must explicitly allow ListenerSet attachment through its
+ * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ * attachment.
+ *
+ * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ * optionally target specific listeners using the sectionName field.
+ *
+ * Policy Attachment:
+ * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ * - Policies do not impact listeners in the parent Gateway
+ * - Different ListenerSets attached to the same Gateway can have different policies
+ * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+ *
+ * ReferenceGrant Semantics:
+ * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+ *
+ * Gateway Integration:
+ * - The parent Gateway's status will include an "AttachedListenerSets" condition
+ * - This condition will be:
+ *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+ *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+ *   - Unknown: when no AllowedListeners config is present
+ */
+export class XListenerSet extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSet resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XListenerSet {
+        return new XListenerSet(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSet';
+
+    /**
+     * Returns true if the given object is an instance of XListenerSet.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XListenerSet {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XListenerSet.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XListenerSet">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha1.XListenerSetSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha1.XListenerSetStatus>;
+
+    /**
+     * Create a XListenerSet resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XListenerSetArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XListenerSet";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XListenerSet.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XListenerSet resource.
+ */
+export interface XListenerSetArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XListenerSet">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetList.d.ts b/generated/crds/gateway/v1alpha1/xlistenerSetList.d.ts
new file mode 100644
index 0000000..2b0dc76
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSetList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * XListenerSetList is a list of XListenerSet
+ */
+export declare class XListenerSetList extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSetList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XListenerSetList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList";
+    /**
+     * Returns true if the given object is an instance of XListenerSetList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XListenerSetList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xlistenersets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1alpha1.XListenerSet[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XListenerSetList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a XListenerSetList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XListenerSetListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XListenerSetList resource.
+ */
+export interface XListenerSetListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xlistenersets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSet>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XListenerSetList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetList.js b/generated/crds/gateway/v1alpha1/xlistenerSetList.js
new file mode 100644
index 0000000..3e2db37
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSetList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XListenerSetList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * XListenerSetList is a list of XListenerSet
+ */
+class XListenerSetList extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSetList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XListenerSetList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XListenerSetList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XListenerSetList.__pulumiType;
+    }
+    /**
+     * Create a XListenerSetList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "XListenerSetList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XListenerSetList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XListenerSetList = XListenerSetList;
+/** @internal */
+XListenerSetList.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList';
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetList.ts b/generated/crds/gateway/v1alpha1/xlistenerSetList.ts
new file mode 100644
index 0000000..eafa88c
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSetList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * XListenerSetList is a list of XListenerSet
+ */
+export class XListenerSetList extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSetList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XListenerSetList {
+        return new XListenerSetList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetList';
+
+    /**
+     * Returns true if the given object is an instance of XListenerSetList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XListenerSetList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XListenerSetList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xlistenersets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1alpha1.XListenerSet[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XListenerSetList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a XListenerSetList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XListenerSetListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "XListenerSetList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XListenerSetList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XListenerSetList resource.
+ */
+export interface XListenerSetListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xlistenersets. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSet>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XListenerSetList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.d.ts b/generated/crds/gateway/v1alpha1/xlistenerSetPatch.d.ts
new file mode 100644
index 0000000..456ab67
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSetPatch.d.ts
@@ -0,0 +1,96 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+ *
+ * The parent Gateway must explicitly allow ListenerSet attachment through its
+ * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ * attachment.
+ *
+ * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ * optionally target specific listeners using the sectionName field.
+ *
+ * Policy Attachment:
+ * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ * - Policies do not impact listeners in the parent Gateway
+ * - Different ListenerSets attached to the same Gateway can have different policies
+ * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+ *
+ * ReferenceGrant Semantics:
+ * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+ *
+ * Gateway Integration:
+ * - The parent Gateway's status will include an "AttachedListenerSets" condition
+ * - This condition will be:
+ *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+ *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+ *   - Unknown: when no AllowedListeners config is present
+ */
+export declare class XListenerSetPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSetPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XListenerSetPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch";
+    /**
+     * Returns true if the given object is an instance of XListenerSetPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XListenerSetPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XListenerSet">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha1.XListenerSetSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha1.XListenerSetStatusPatch>;
+    /**
+     * Create a XListenerSetPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XListenerSetPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XListenerSetPatch resource.
+ */
+export interface XListenerSetPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XListenerSet">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.js b/generated/crds/gateway/v1alpha1/xlistenerSetPatch.js
new file mode 100644
index 0000000..c4a679c
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSetPatch.js
@@ -0,0 +1,95 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XListenerSetPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+ *
+ * The parent Gateway must explicitly allow ListenerSet attachment through its
+ * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ * attachment.
+ *
+ * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ * optionally target specific listeners using the sectionName field.
+ *
+ * Policy Attachment:
+ * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ * - Policies do not impact listeners in the parent Gateway
+ * - Different ListenerSets attached to the same Gateway can have different policies
+ * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+ *
+ * ReferenceGrant Semantics:
+ * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+ *
+ * Gateway Integration:
+ * - The parent Gateway's status will include an "AttachedListenerSets" condition
+ * - This condition will be:
+ *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+ *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+ *   - Unknown: when no AllowedListeners config is present
+ */
+class XListenerSetPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSetPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XListenerSetPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XListenerSetPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XListenerSetPatch.__pulumiType;
+    }
+    /**
+     * Create a XListenerSetPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XListenerSet";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XListenerSetPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XListenerSetPatch = XListenerSetPatch;
+/** @internal */
+XListenerSetPatch.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch';
diff --git a/generated/crds/gateway/v1alpha1/xlistenerSetPatch.ts b/generated/crds/gateway/v1alpha1/xlistenerSetPatch.ts
new file mode 100644
index 0000000..4243259
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xlistenerSetPatch.ts
@@ -0,0 +1,131 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+ *
+ * The parent Gateway must explicitly allow ListenerSet attachment through its
+ * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ * attachment.
+ *
+ * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ * optionally target specific listeners using the sectionName field.
+ *
+ * Policy Attachment:
+ * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ * - Policies do not impact listeners in the parent Gateway
+ * - Different ListenerSets attached to the same Gateway can have different policies
+ * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+ *
+ * ReferenceGrant Semantics:
+ * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+ *
+ * Gateway Integration:
+ * - The parent Gateway's status will include an "AttachedListenerSets" condition
+ * - This condition will be:
+ *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+ *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+ *   - Unknown: when no AllowedListeners config is present
+ */
+export class XListenerSetPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XListenerSetPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XListenerSetPatch {
+        return new XListenerSetPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XListenerSetPatch';
+
+    /**
+     * Returns true if the given object is an instance of XListenerSetPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XListenerSetPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XListenerSetPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XListenerSet">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha1.XListenerSetSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha1.XListenerSetStatusPatch>;
+
+    /**
+     * Create a XListenerSetPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XListenerSetPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XListenerSet";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XListenerSetPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XListenerSetPatch resource.
+ */
+export interface XListenerSetPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XListenerSet">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xmesh.d.ts b/generated/crds/gateway/v1alpha1/xmesh.d.ts
new file mode 100644
index 0000000..d4bc618
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmesh.d.ts
@@ -0,0 +1,64 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+ */
+export declare class XMesh extends pulumi.CustomResource {
+    /**
+     * Get an existing XMesh resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XMesh;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh";
+    /**
+     * Returns true if the given object is an instance of XMesh.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XMesh;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XMesh">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha1.XMeshSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha1.XMeshStatus>;
+    /**
+     * Create a XMesh resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XMeshArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XMesh resource.
+ */
+export interface XMeshArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XMesh">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xmesh.js b/generated/crds/gateway/v1alpha1/xmesh.js
new file mode 100644
index 0000000..dc69782
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmesh.js
@@ -0,0 +1,63 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XMesh = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+ */
+class XMesh extends pulumi.CustomResource {
+    /**
+     * Get an existing XMesh resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XMesh(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XMesh.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XMesh.__pulumiType;
+    }
+    /**
+     * Create a XMesh resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XMesh";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XMesh.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XMesh = XMesh;
+/** @internal */
+XMesh.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh';
diff --git a/generated/crds/gateway/v1alpha1/xmesh.ts b/generated/crds/gateway/v1alpha1/xmesh.ts
new file mode 100644
index 0000000..cc9ab6f
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmesh.ts
@@ -0,0 +1,99 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+ */
+export class XMesh extends pulumi.CustomResource {
+    /**
+     * Get an existing XMesh resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XMesh {
+        return new XMesh(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMesh';
+
+    /**
+     * Returns true if the given object is an instance of XMesh.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XMesh {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XMesh.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XMesh">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha1.XMeshSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha1.XMeshStatus>;
+
+    /**
+     * Create a XMesh resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XMeshArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XMesh";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XMesh.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XMesh resource.
+ */
+export interface XMeshArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XMesh">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xmeshList.d.ts b/generated/crds/gateway/v1alpha1/xmeshList.d.ts
new file mode 100644
index 0000000..838948b
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmeshList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * XMeshList is a list of XMesh
+ */
+export declare class XMeshList extends pulumi.CustomResource {
+    /**
+     * Get an existing XMeshList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XMeshList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList";
+    /**
+     * Returns true if the given object is an instance of XMeshList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XMeshList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xmeshes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1alpha1.XMesh[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XMeshList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a XMeshList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XMeshListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XMeshList resource.
+ */
+export interface XMeshListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xmeshes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XMesh>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XMeshList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xmeshList.js b/generated/crds/gateway/v1alpha1/xmeshList.js
new file mode 100644
index 0000000..44c0cac
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmeshList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XMeshList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * XMeshList is a list of XMesh
+ */
+class XMeshList extends pulumi.CustomResource {
+    /**
+     * Get an existing XMeshList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XMeshList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XMeshList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XMeshList.__pulumiType;
+    }
+    /**
+     * Create a XMeshList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "XMeshList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XMeshList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XMeshList = XMeshList;
+/** @internal */
+XMeshList.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList';
diff --git a/generated/crds/gateway/v1alpha1/xmeshList.ts b/generated/crds/gateway/v1alpha1/xmeshList.ts
new file mode 100644
index 0000000..d771bb5
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmeshList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * XMeshList is a list of XMesh
+ */
+export class XMeshList extends pulumi.CustomResource {
+    /**
+     * Get an existing XMeshList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XMeshList {
+        return new XMeshList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshList';
+
+    /**
+     * Returns true if the given object is an instance of XMeshList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XMeshList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XMeshList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xmeshes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1alpha1.XMesh[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XMeshList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a XMeshList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XMeshListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "XMeshList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XMeshList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XMeshList resource.
+ */
+export interface XMeshListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * List of xmeshes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XMesh>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XMeshList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xmeshPatch.d.ts b/generated/crds/gateway/v1alpha1/xmeshPatch.d.ts
new file mode 100644
index 0000000..d16ded4
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmeshPatch.d.ts
@@ -0,0 +1,70 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+ */
+export declare class XMeshPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XMeshPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XMeshPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch";
+    /**
+     * Returns true if the given object is an instance of XMeshPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is XMeshPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"XMesh">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha1.XMeshSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha1.XMeshStatusPatch>;
+    /**
+     * Create a XMeshPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XMeshPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a XMeshPatch resource.
+ */
+export interface XMeshPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XMesh">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha1/xmeshPatch.js b/generated/crds/gateway/v1alpha1/xmeshPatch.js
new file mode 100644
index 0000000..fd9701c
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmeshPatch.js
@@ -0,0 +1,69 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XMeshPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+ */
+class XMeshPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XMeshPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new XMeshPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of XMeshPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XMeshPatch.__pulumiType;
+    }
+    /**
+     * Create a XMeshPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XMesh";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XMeshPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.XMeshPatch = XMeshPatch;
+/** @internal */
+XMeshPatch.__pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch';
diff --git a/generated/crds/gateway/v1alpha1/xmeshPatch.ts b/generated/crds/gateway/v1alpha1/xmeshPatch.ts
new file mode 100644
index 0000000..ba3e50f
--- /dev/null
+++ b/generated/crds/gateway/v1alpha1/xmeshPatch.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+ */
+export class XMeshPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing XMeshPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): XMeshPatch {
+        return new XMeshPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.x-k8s.io/v1alpha1:XMeshPatch';
+
+    /**
+     * Returns true if the given object is an instance of XMeshPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is XMeshPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === XMeshPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"XMesh">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha1.XMeshSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha1.XMeshStatusPatch>;
+
+    /**
+     * Create a XMeshPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: XMeshPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.x-k8s.io/v1alpha1";
+            resourceInputs["kind"] = "XMesh";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(XMeshPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a XMeshPatch resource.
+ */
+export interface XMeshPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"XMesh">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha2/index.d.ts b/generated/crds/gateway/v1alpha2/index.d.ts
new file mode 100644
index 0000000..f6049ab
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/index.d.ts
@@ -0,0 +1,27 @@
+export { TCPRouteArgs } from "./tcproute";
+export type TCPRoute = import("./tcproute").TCPRoute;
+export declare const TCPRoute: typeof import("./tcproute").TCPRoute;
+export { TCPRouteListArgs } from "./tcprouteList";
+export type TCPRouteList = import("./tcprouteList").TCPRouteList;
+export declare const TCPRouteList: typeof import("./tcprouteList").TCPRouteList;
+export { TCPRoutePatchArgs } from "./tcproutePatch";
+export type TCPRoutePatch = import("./tcproutePatch").TCPRoutePatch;
+export declare const TCPRoutePatch: typeof import("./tcproutePatch").TCPRoutePatch;
+export { TLSRouteArgs } from "./tlsroute";
+export type TLSRoute = import("./tlsroute").TLSRoute;
+export declare const TLSRoute: typeof import("./tlsroute").TLSRoute;
+export { TLSRouteListArgs } from "./tlsrouteList";
+export type TLSRouteList = import("./tlsrouteList").TLSRouteList;
+export declare const TLSRouteList: typeof import("./tlsrouteList").TLSRouteList;
+export { TLSRoutePatchArgs } from "./tlsroutePatch";
+export type TLSRoutePatch = import("./tlsroutePatch").TLSRoutePatch;
+export declare const TLSRoutePatch: typeof import("./tlsroutePatch").TLSRoutePatch;
+export { UDPRouteArgs } from "./udproute";
+export type UDPRoute = import("./udproute").UDPRoute;
+export declare const UDPRoute: typeof import("./udproute").UDPRoute;
+export { UDPRouteListArgs } from "./udprouteList";
+export type UDPRouteList = import("./udprouteList").UDPRouteList;
+export declare const UDPRouteList: typeof import("./udprouteList").UDPRouteList;
+export { UDPRoutePatchArgs } from "./udproutePatch";
+export type UDPRoutePatch = import("./udproutePatch").UDPRoutePatch;
+export declare const UDPRoutePatch: typeof import("./udproutePatch").UDPRoutePatch;
diff --git a/generated/crds/gateway/v1alpha2/index.js b/generated/crds/gateway/v1alpha2/index.js
new file mode 100644
index 0000000..e2d0bc8
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/index.js
@@ -0,0 +1,53 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UDPRoutePatch = exports.UDPRouteList = exports.UDPRoute = exports.TLSRoutePatch = exports.TLSRouteList = exports.TLSRoute = exports.TCPRoutePatch = exports.TCPRouteList = exports.TCPRoute = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+exports.TCPRoute = null;
+utilities.lazyLoad(exports, ["TCPRoute"], () => require("./tcproute"));
+exports.TCPRouteList = null;
+utilities.lazyLoad(exports, ["TCPRouteList"], () => require("./tcprouteList"));
+exports.TCPRoutePatch = null;
+utilities.lazyLoad(exports, ["TCPRoutePatch"], () => require("./tcproutePatch"));
+exports.TLSRoute = null;
+utilities.lazyLoad(exports, ["TLSRoute"], () => require("./tlsroute"));
+exports.TLSRouteList = null;
+utilities.lazyLoad(exports, ["TLSRouteList"], () => require("./tlsrouteList"));
+exports.TLSRoutePatch = null;
+utilities.lazyLoad(exports, ["TLSRoutePatch"], () => require("./tlsroutePatch"));
+exports.UDPRoute = null;
+utilities.lazyLoad(exports, ["UDPRoute"], () => require("./udproute"));
+exports.UDPRouteList = null;
+utilities.lazyLoad(exports, ["UDPRouteList"], () => require("./udprouteList"));
+exports.UDPRoutePatch = null;
+utilities.lazyLoad(exports, ["UDPRoutePatch"], () => require("./udproutePatch"));
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name, type, urn) => {
+        switch (type) {
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoute":
+                return new exports.TCPRoute(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRouteList":
+                return new exports.TCPRouteList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoutePatch":
+                return new exports.TCPRoutePatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute":
+                return new exports.TLSRoute(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRouteList":
+                return new exports.TLSRouteList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch":
+                return new exports.TLSRoutePatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoute":
+                return new exports.UDPRoute(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRouteList":
+                return new exports.UDPRouteList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoutePatch":
+                return new exports.UDPRoutePatch(name, undefined, { urn });
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.k8s.io/v1alpha2", _module);
diff --git a/generated/crds/gateway/v1alpha2/index.ts b/generated/crds/gateway/v1alpha2/index.ts
new file mode 100644
index 0000000..1845db4
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/index.ts
@@ -0,0 +1,81 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../../utilities";
+
+// Export members:
+export { TCPRouteArgs } from "./tcproute";
+export type TCPRoute = import("./tcproute").TCPRoute;
+export const TCPRoute: typeof import("./tcproute").TCPRoute = null as any;
+utilities.lazyLoad(exports, ["TCPRoute"], () => require("./tcproute"));
+
+export { TCPRouteListArgs } from "./tcprouteList";
+export type TCPRouteList = import("./tcprouteList").TCPRouteList;
+export const TCPRouteList: typeof import("./tcprouteList").TCPRouteList = null as any;
+utilities.lazyLoad(exports, ["TCPRouteList"], () => require("./tcprouteList"));
+
+export { TCPRoutePatchArgs } from "./tcproutePatch";
+export type TCPRoutePatch = import("./tcproutePatch").TCPRoutePatch;
+export const TCPRoutePatch: typeof import("./tcproutePatch").TCPRoutePatch = null as any;
+utilities.lazyLoad(exports, ["TCPRoutePatch"], () => require("./tcproutePatch"));
+
+export { TLSRouteArgs } from "./tlsroute";
+export type TLSRoute = import("./tlsroute").TLSRoute;
+export const TLSRoute: typeof import("./tlsroute").TLSRoute = null as any;
+utilities.lazyLoad(exports, ["TLSRoute"], () => require("./tlsroute"));
+
+export { TLSRouteListArgs } from "./tlsrouteList";
+export type TLSRouteList = import("./tlsrouteList").TLSRouteList;
+export const TLSRouteList: typeof import("./tlsrouteList").TLSRouteList = null as any;
+utilities.lazyLoad(exports, ["TLSRouteList"], () => require("./tlsrouteList"));
+
+export { TLSRoutePatchArgs } from "./tlsroutePatch";
+export type TLSRoutePatch = import("./tlsroutePatch").TLSRoutePatch;
+export const TLSRoutePatch: typeof import("./tlsroutePatch").TLSRoutePatch = null as any;
+utilities.lazyLoad(exports, ["TLSRoutePatch"], () => require("./tlsroutePatch"));
+
+export { UDPRouteArgs } from "./udproute";
+export type UDPRoute = import("./udproute").UDPRoute;
+export const UDPRoute: typeof import("./udproute").UDPRoute = null as any;
+utilities.lazyLoad(exports, ["UDPRoute"], () => require("./udproute"));
+
+export { UDPRouteListArgs } from "./udprouteList";
+export type UDPRouteList = import("./udprouteList").UDPRouteList;
+export const UDPRouteList: typeof import("./udprouteList").UDPRouteList = null as any;
+utilities.lazyLoad(exports, ["UDPRouteList"], () => require("./udprouteList"));
+
+export { UDPRoutePatchArgs } from "./udproutePatch";
+export type UDPRoutePatch = import("./udproutePatch").UDPRoutePatch;
+export const UDPRoutePatch: typeof import("./udproutePatch").UDPRoutePatch = null as any;
+utilities.lazyLoad(exports, ["UDPRoutePatch"], () => require("./udproutePatch"));
+
+
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name: string, type: string, urn: string): pulumi.Resource => {
+        switch (type) {
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoute":
+                return new TCPRoute(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRouteList":
+                return new TCPRouteList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoutePatch":
+                return new TCPRoutePatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute":
+                return new TLSRoute(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRouteList":
+                return new TLSRouteList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch":
+                return new TLSRoutePatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoute":
+                return new UDPRoute(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRouteList":
+                return new UDPRouteList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoutePatch":
+                return new UDPRoutePatch(name, <any>undefined, { urn })
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.k8s.io/v1alpha2", _module)
diff --git a/generated/crds/gateway/v1alpha2/tcproute.d.ts b/generated/crds/gateway/v1alpha2/tcproute.d.ts
new file mode 100644
index 0000000..652c9aa
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcproute.d.ts
@@ -0,0 +1,66 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+ * listener, it can be used to forward connections on the port specified by the
+ * listener to a set of backends specified by the TCPRoute.
+ */
+export declare class TCPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TCPRoute;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoute";
+    /**
+     * Returns true if the given object is an instance of TCPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TCPRoute;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TCPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha2.TCPRouteSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha2.TCPRouteStatus>;
+    /**
+     * Create a TCPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TCPRouteArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TCPRoute resource.
+ */
+export interface TCPRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TCPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tcproute.js b/generated/crds/gateway/v1alpha2/tcproute.js
new file mode 100644
index 0000000..7cb1c81
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcproute.js
@@ -0,0 +1,65 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TCPRoute = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+ * listener, it can be used to forward connections on the port specified by the
+ * listener to a set of backends specified by the TCPRoute.
+ */
+class TCPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TCPRoute(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TCPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TCPRoute.__pulumiType;
+    }
+    /**
+     * Create a TCPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "TCPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TCPRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TCPRoute = TCPRoute;
+/** @internal */
+TCPRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoute';
diff --git a/generated/crds/gateway/v1alpha2/tcproute.ts b/generated/crds/gateway/v1alpha2/tcproute.ts
new file mode 100644
index 0000000..01d6b24
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcproute.ts
@@ -0,0 +1,101 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+ * listener, it can be used to forward connections on the port specified by the
+ * listener to a set of backends specified by the TCPRoute.
+ */
+export class TCPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TCPRoute {
+        return new TCPRoute(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoute';
+
+    /**
+     * Returns true if the given object is an instance of TCPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TCPRoute {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TCPRoute.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TCPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha2.TCPRouteSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha2.TCPRouteStatus>;
+
+    /**
+     * Create a TCPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TCPRouteArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "TCPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TCPRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TCPRoute resource.
+ */
+export interface TCPRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TCPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tcprouteList.d.ts b/generated/crds/gateway/v1alpha2/tcprouteList.d.ts
new file mode 100644
index 0000000..3cd84e2
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcprouteList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * TCPRouteList is a list of TCPRoute
+ */
+export declare class TCPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TCPRouteList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRouteList";
+    /**
+     * Returns true if the given object is an instance of TCPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TCPRouteList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of tcproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1alpha2.TCPRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TCPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a TCPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TCPRouteListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TCPRouteList resource.
+ */
+export interface TCPRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of tcproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TCPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tcprouteList.js b/generated/crds/gateway/v1alpha2/tcprouteList.js
new file mode 100644
index 0000000..32d7f7f
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcprouteList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TCPRouteList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * TCPRouteList is a list of TCPRoute
+ */
+class TCPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TCPRouteList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TCPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TCPRouteList.__pulumiType;
+    }
+    /**
+     * Create a TCPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "TCPRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TCPRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TCPRouteList = TCPRouteList;
+/** @internal */
+TCPRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRouteList';
diff --git a/generated/crds/gateway/v1alpha2/tcprouteList.ts b/generated/crds/gateway/v1alpha2/tcprouteList.ts
new file mode 100644
index 0000000..69b81af
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcprouteList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * TCPRouteList is a list of TCPRoute
+ */
+export class TCPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TCPRouteList {
+        return new TCPRouteList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRouteList';
+
+    /**
+     * Returns true if the given object is an instance of TCPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TCPRouteList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TCPRouteList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of tcproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1alpha2.TCPRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TCPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a TCPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TCPRouteListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "TCPRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TCPRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TCPRouteList resource.
+ */
+export interface TCPRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of tcproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TCPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tcproutePatch.d.ts b/generated/crds/gateway/v1alpha2/tcproutePatch.d.ts
new file mode 100644
index 0000000..eb96ac0
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcproutePatch.d.ts
@@ -0,0 +1,72 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+ * listener, it can be used to forward connections on the port specified by the
+ * listener to a set of backends specified by the TCPRoute.
+ */
+export declare class TCPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TCPRoutePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoutePatch";
+    /**
+     * Returns true if the given object is an instance of TCPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TCPRoutePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TCPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha2.TCPRouteSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha2.TCPRouteStatusPatch>;
+    /**
+     * Create a TCPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TCPRoutePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TCPRoutePatch resource.
+ */
+export interface TCPRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TCPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tcproutePatch.js b/generated/crds/gateway/v1alpha2/tcproutePatch.js
new file mode 100644
index 0000000..263a4dd
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcproutePatch.js
@@ -0,0 +1,71 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TCPRoutePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+ * listener, it can be used to forward connections on the port specified by the
+ * listener to a set of backends specified by the TCPRoute.
+ */
+class TCPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TCPRoutePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TCPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TCPRoutePatch.__pulumiType;
+    }
+    /**
+     * Create a TCPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "TCPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TCPRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TCPRoutePatch = TCPRoutePatch;
+/** @internal */
+TCPRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoutePatch';
diff --git a/generated/crds/gateway/v1alpha2/tcproutePatch.ts b/generated/crds/gateway/v1alpha2/tcproutePatch.ts
new file mode 100644
index 0000000..f44e8ae
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tcproutePatch.ts
@@ -0,0 +1,107 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+ * listener, it can be used to forward connections on the port specified by the
+ * listener to a set of backends specified by the TCPRoute.
+ */
+export class TCPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TCPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TCPRoutePatch {
+        return new TCPRoutePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TCPRoutePatch';
+
+    /**
+     * Returns true if the given object is an instance of TCPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TCPRoutePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TCPRoutePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TCPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha2.TCPRouteSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha2.TCPRouteStatusPatch>;
+
+    /**
+     * Create a TCPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TCPRoutePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "TCPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TCPRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TCPRoutePatch resource.
+ */
+export interface TCPRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TCPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tlsroute.d.ts b/generated/crds/gateway/v1alpha2/tlsroute.d.ts
new file mode 100644
index 0000000..a162142
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsroute.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+export declare class TLSRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRoute;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute";
+    /**
+     * Returns true if the given object is an instance of TLSRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TLSRoute;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha2.TLSRouteSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha2.TLSRouteStatus>;
+    /**
+     * Create a TLSRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRouteArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TLSRoute resource.
+ */
+export interface TLSRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tlsroute.js b/generated/crds/gateway/v1alpha2/tlsroute.js
new file mode 100644
index 0000000..631a2f1
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsroute.js
@@ -0,0 +1,70 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TLSRoute = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+class TLSRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TLSRoute(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TLSRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRoute.__pulumiType;
+    }
+    /**
+     * Create a TLSRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "TLSRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(TLSRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TLSRoute = TLSRoute;
+/** @internal */
+TLSRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute';
diff --git a/generated/crds/gateway/v1alpha2/tlsroute.ts b/generated/crds/gateway/v1alpha2/tlsroute.ts
new file mode 100644
index 0000000..ba24571
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsroute.ts
@@ -0,0 +1,106 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+export class TLSRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRoute {
+        return new TLSRoute(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute';
+
+    /**
+     * Returns true if the given object is an instance of TLSRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TLSRoute {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRoute.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha2.TLSRouteSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha2.TLSRouteStatus>;
+
+    /**
+     * Create a TLSRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRouteArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "TLSRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(TLSRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TLSRoute resource.
+ */
+export interface TLSRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tlsrouteList.d.ts b/generated/crds/gateway/v1alpha2/tlsrouteList.d.ts
new file mode 100644
index 0000000..57aec8d
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsrouteList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * TLSRouteList is a list of TLSRoute
+ */
+export declare class TLSRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRouteList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRouteList";
+    /**
+     * Returns true if the given object is an instance of TLSRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TLSRouteList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1alpha2.TLSRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TLSRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a TLSRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRouteListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TLSRouteList resource.
+ */
+export interface TLSRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tlsrouteList.js b/generated/crds/gateway/v1alpha2/tlsrouteList.js
new file mode 100644
index 0000000..73d6796
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsrouteList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TLSRouteList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * TLSRouteList is a list of TLSRoute
+ */
+class TLSRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TLSRouteList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TLSRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRouteList.__pulumiType;
+    }
+    /**
+     * Create a TLSRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "TLSRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TLSRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TLSRouteList = TLSRouteList;
+/** @internal */
+TLSRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRouteList';
diff --git a/generated/crds/gateway/v1alpha2/tlsrouteList.ts b/generated/crds/gateway/v1alpha2/tlsrouteList.ts
new file mode 100644
index 0000000..9278880
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsrouteList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * TLSRouteList is a list of TLSRoute
+ */
+export class TLSRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRouteList {
+        return new TLSRouteList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRouteList';
+
+    /**
+     * Returns true if the given object is an instance of TLSRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TLSRouteList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRouteList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1alpha2.TLSRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TLSRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a TLSRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRouteListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "TLSRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TLSRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TLSRouteList resource.
+ */
+export interface TLSRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tlsroutePatch.d.ts b/generated/crds/gateway/v1alpha2/tlsroutePatch.d.ts
new file mode 100644
index 0000000..dc5d772
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsroutePatch.d.ts
@@ -0,0 +1,75 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+export declare class TLSRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRoutePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch";
+    /**
+     * Returns true if the given object is an instance of TLSRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TLSRoutePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha2.TLSRouteSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha2.TLSRouteStatusPatch>;
+    /**
+     * Create a TLSRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRoutePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TLSRoutePatch resource.
+ */
+export interface TLSRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha2/tlsroutePatch.js b/generated/crds/gateway/v1alpha2/tlsroutePatch.js
new file mode 100644
index 0000000..ad8e64d
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsroutePatch.js
@@ -0,0 +1,76 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TLSRoutePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+class TLSRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TLSRoutePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TLSRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRoutePatch.__pulumiType;
+    }
+    /**
+     * Create a TLSRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "TLSRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(TLSRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TLSRoutePatch = TLSRoutePatch;
+/** @internal */
+TLSRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch';
diff --git a/generated/crds/gateway/v1alpha2/tlsroutePatch.ts b/generated/crds/gateway/v1alpha2/tlsroutePatch.ts
new file mode 100644
index 0000000..15428bc
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/tlsroutePatch.ts
@@ -0,0 +1,112 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+export class TLSRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRoutePatch {
+        return new TLSRoutePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch';
+
+    /**
+     * Returns true if the given object is an instance of TLSRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TLSRoutePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRoutePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha2.TLSRouteSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha2.TLSRouteStatusPatch>;
+
+    /**
+     * Create a TLSRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRoutePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "TLSRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(TLSRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TLSRoutePatch resource.
+ */
+export interface TLSRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha2/udproute.d.ts b/generated/crds/gateway/v1alpha2/udproute.d.ts
new file mode 100644
index 0000000..5494d23
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udproute.d.ts
@@ -0,0 +1,66 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+ * listener, it can be used to forward traffic on the port specified by the
+ * listener to a set of backends specified by the UDPRoute.
+ */
+export declare class UDPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): UDPRoute;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoute";
+    /**
+     * Returns true if the given object is an instance of UDPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is UDPRoute;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"UDPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha2.UDPRouteSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha2.UDPRouteStatus>;
+    /**
+     * Create a UDPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: UDPRouteArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a UDPRoute resource.
+ */
+export interface UDPRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"UDPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha2/udproute.js b/generated/crds/gateway/v1alpha2/udproute.js
new file mode 100644
index 0000000..8c3551d
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udproute.js
@@ -0,0 +1,65 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UDPRoute = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+ * listener, it can be used to forward traffic on the port specified by the
+ * listener to a set of backends specified by the UDPRoute.
+ */
+class UDPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new UDPRoute(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of UDPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === UDPRoute.__pulumiType;
+    }
+    /**
+     * Create a UDPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "UDPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(UDPRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.UDPRoute = UDPRoute;
+/** @internal */
+UDPRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoute';
diff --git a/generated/crds/gateway/v1alpha2/udproute.ts b/generated/crds/gateway/v1alpha2/udproute.ts
new file mode 100644
index 0000000..6e624c3
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udproute.ts
@@ -0,0 +1,101 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+ * listener, it can be used to forward traffic on the port specified by the
+ * listener to a set of backends specified by the UDPRoute.
+ */
+export class UDPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): UDPRoute {
+        return new UDPRoute(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoute';
+
+    /**
+     * Returns true if the given object is an instance of UDPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is UDPRoute {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === UDPRoute.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"UDPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha2.UDPRouteSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha2.UDPRouteStatus>;
+
+    /**
+     * Create a UDPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: UDPRouteArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "UDPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(UDPRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a UDPRoute resource.
+ */
+export interface UDPRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"UDPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha2/udprouteList.d.ts b/generated/crds/gateway/v1alpha2/udprouteList.d.ts
new file mode 100644
index 0000000..d6b6203
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udprouteList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * UDPRouteList is a list of UDPRoute
+ */
+export declare class UDPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): UDPRouteList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRouteList";
+    /**
+     * Returns true if the given object is an instance of UDPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is UDPRouteList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of udproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1alpha2.UDPRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"UDPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a UDPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: UDPRouteListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a UDPRouteList resource.
+ */
+export interface UDPRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of udproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"UDPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha2/udprouteList.js b/generated/crds/gateway/v1alpha2/udprouteList.js
new file mode 100644
index 0000000..5b2b185
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udprouteList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UDPRouteList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * UDPRouteList is a list of UDPRoute
+ */
+class UDPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new UDPRouteList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of UDPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === UDPRouteList.__pulumiType;
+    }
+    /**
+     * Create a UDPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "UDPRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(UDPRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.UDPRouteList = UDPRouteList;
+/** @internal */
+UDPRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRouteList';
diff --git a/generated/crds/gateway/v1alpha2/udprouteList.ts b/generated/crds/gateway/v1alpha2/udprouteList.ts
new file mode 100644
index 0000000..c36a481
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udprouteList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * UDPRouteList is a list of UDPRoute
+ */
+export class UDPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): UDPRouteList {
+        return new UDPRouteList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRouteList';
+
+    /**
+     * Returns true if the given object is an instance of UDPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is UDPRouteList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === UDPRouteList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of udproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1alpha2.UDPRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"UDPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a UDPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: UDPRouteListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "UDPRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(UDPRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a UDPRouteList resource.
+ */
+export interface UDPRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * List of udproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"UDPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha2/udproutePatch.d.ts b/generated/crds/gateway/v1alpha2/udproutePatch.d.ts
new file mode 100644
index 0000000..e56de47
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udproutePatch.d.ts
@@ -0,0 +1,72 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+ * listener, it can be used to forward traffic on the port specified by the
+ * listener to a set of backends specified by the UDPRoute.
+ */
+export declare class UDPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): UDPRoutePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoutePatch";
+    /**
+     * Returns true if the given object is an instance of UDPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is UDPRoutePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"UDPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha2.UDPRouteSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha2.UDPRouteStatusPatch>;
+    /**
+     * Create a UDPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: UDPRoutePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a UDPRoutePatch resource.
+ */
+export interface UDPRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"UDPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha2/udproutePatch.js b/generated/crds/gateway/v1alpha2/udproutePatch.js
new file mode 100644
index 0000000..03f13dc
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udproutePatch.js
@@ -0,0 +1,71 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UDPRoutePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+ * listener, it can be used to forward traffic on the port specified by the
+ * listener to a set of backends specified by the UDPRoute.
+ */
+class UDPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new UDPRoutePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of UDPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === UDPRoutePatch.__pulumiType;
+    }
+    /**
+     * Create a UDPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "UDPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(UDPRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.UDPRoutePatch = UDPRoutePatch;
+/** @internal */
+UDPRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoutePatch';
diff --git a/generated/crds/gateway/v1alpha2/udproutePatch.ts b/generated/crds/gateway/v1alpha2/udproutePatch.ts
new file mode 100644
index 0000000..a3f1a3c
--- /dev/null
+++ b/generated/crds/gateway/v1alpha2/udproutePatch.ts
@@ -0,0 +1,107 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+ * listener, it can be used to forward traffic on the port specified by the
+ * listener to a set of backends specified by the UDPRoute.
+ */
+export class UDPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing UDPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): UDPRoutePatch {
+        return new UDPRoutePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha2:UDPRoutePatch';
+
+    /**
+     * Returns true if the given object is an instance of UDPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is UDPRoutePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === UDPRoutePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"UDPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha2.UDPRouteSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha2.UDPRouteStatusPatch>;
+
+    /**
+     * Create a UDPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: UDPRoutePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha2";
+            resourceInputs["kind"] = "UDPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(UDPRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a UDPRoutePatch resource.
+ */
+export interface UDPRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"UDPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicy.d.ts b/generated/crds/gateway/v1alpha3/backendTLSPolicy.d.ts
new file mode 100644
index 0000000..f6600eb
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicy.d.ts
@@ -0,0 +1,65 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+export declare class BackendTLSPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicy;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy";
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is BackendTLSPolicy;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicySpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicyStatus>;
+    /**
+     * Create a BackendTLSPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a BackendTLSPolicy resource.
+ */
+export interface BackendTLSPolicyArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpec>;
+}
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicy.js b/generated/crds/gateway/v1alpha3/backendTLSPolicy.js
new file mode 100644
index 0000000..c833a2e
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicy.js
@@ -0,0 +1,66 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BackendTLSPolicy = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+class BackendTLSPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new BackendTLSPolicy(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicy.__pulumiType;
+    }
+    /**
+     * Create a BackendTLSPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["kind"] = "BackendTLSPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(BackendTLSPolicy.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.BackendTLSPolicy = BackendTLSPolicy;
+/** @internal */
+BackendTLSPolicy.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy';
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicy.ts b/generated/crds/gateway/v1alpha3/backendTLSPolicy.ts
new file mode 100644
index 0000000..f6959c7
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicy.ts
@@ -0,0 +1,102 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+export class BackendTLSPolicy extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicy resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicy {
+        return new BackendTLSPolicy(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy';
+
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicy.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is BackendTLSPolicy {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicy.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicySpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicyStatus>;
+
+    /**
+     * Create a BackendTLSPolicy resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["kind"] = "BackendTLSPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicy" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(BackendTLSPolicy.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a BackendTLSPolicy resource.
+ */
+export interface BackendTLSPolicyArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpec>;
+}
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicyList.d.ts b/generated/crds/gateway/v1alpha3/backendTLSPolicyList.d.ts
new file mode 100644
index 0000000..a92cbf5
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicyList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * BackendTLSPolicyList is a list of BackendTLSPolicy
+ */
+export declare class BackendTLSPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyList";
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is BackendTLSPolicyList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicy[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"BackendTLSPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a BackendTLSPolicyList resource.
+ */
+export interface BackendTLSPolicyListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicy>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicyList.js b/generated/crds/gateway/v1alpha3/backendTLSPolicyList.js
new file mode 100644
index 0000000..10578fc
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicyList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BackendTLSPolicyList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * BackendTLSPolicyList is a list of BackendTLSPolicy
+ */
+class BackendTLSPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new BackendTLSPolicyList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicyList.__pulumiType;
+    }
+    /**
+     * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "BackendTLSPolicyList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(BackendTLSPolicyList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.BackendTLSPolicyList = BackendTLSPolicyList;
+/** @internal */
+BackendTLSPolicyList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyList';
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicyList.ts b/generated/crds/gateway/v1alpha3/backendTLSPolicyList.ts
new file mode 100644
index 0000000..8c867ca
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicyList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * BackendTLSPolicyList is a list of BackendTLSPolicy
+ */
+export class BackendTLSPolicyList extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyList {
+        return new BackendTLSPolicyList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyList';
+
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is BackendTLSPolicyList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicyList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicy[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"BackendTLSPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a BackendTLSPolicyList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "BackendTLSPolicyList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(BackendTLSPolicyList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a BackendTLSPolicyList resource.
+ */
+export interface BackendTLSPolicyListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * List of backendtlspolicies. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicy>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicyList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.d.ts b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.d.ts
new file mode 100644
index 0000000..fc99cb8
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.d.ts
@@ -0,0 +1,71 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+export declare class BackendTLSPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch";
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is BackendTLSPolicyPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicySpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicyStatusPatch>;
+    /**
+     * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a BackendTLSPolicyPatch resource.
+ */
+export interface BackendTLSPolicyPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.js b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.js
new file mode 100644
index 0000000..507cea5
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.js
@@ -0,0 +1,72 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BackendTLSPolicyPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+class BackendTLSPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new BackendTLSPolicyPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicyPatch.__pulumiType;
+    }
+    /**
+     * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["kind"] = "BackendTLSPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(BackendTLSPolicyPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.BackendTLSPolicyPatch = BackendTLSPolicyPatch;
+/** @internal */
+BackendTLSPolicyPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch';
diff --git a/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.ts b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.ts
new file mode 100644
index 0000000..7524f34
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/backendTLSPolicyPatch.ts
@@ -0,0 +1,108 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * BackendTLSPolicy provides a way to configure how a Gateway
+ * connects to a Backend via TLS.
+ */
+export class BackendTLSPolicyPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing BackendTLSPolicyPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): BackendTLSPolicyPatch {
+        return new BackendTLSPolicyPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch';
+
+    /**
+     * Returns true if the given object is an instance of BackendTLSPolicyPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is BackendTLSPolicyPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === BackendTLSPolicyPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicySpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha3.BackendTLSPolicyStatusPatch>;
+
+    /**
+     * Create a BackendTLSPolicyPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: BackendTLSPolicyPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["kind"] = "BackendTLSPolicy";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:BackendTLSPolicyPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(BackendTLSPolicyPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a BackendTLSPolicyPatch resource.
+ */
+export interface BackendTLSPolicyPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"BackendTLSPolicy">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha3/index.d.ts b/generated/crds/gateway/v1alpha3/index.d.ts
new file mode 100644
index 0000000..146a6a1
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/index.d.ts
@@ -0,0 +1,18 @@
+export { BackendTLSPolicyArgs } from "./backendTLSPolicy";
+export type BackendTLSPolicy = import("./backendTLSPolicy").BackendTLSPolicy;
+export declare const BackendTLSPolicy: typeof import("./backendTLSPolicy").BackendTLSPolicy;
+export { BackendTLSPolicyListArgs } from "./backendTLSPolicyList";
+export type BackendTLSPolicyList = import("./backendTLSPolicyList").BackendTLSPolicyList;
+export declare const BackendTLSPolicyList: typeof import("./backendTLSPolicyList").BackendTLSPolicyList;
+export { BackendTLSPolicyPatchArgs } from "./backendTLSPolicyPatch";
+export type BackendTLSPolicyPatch = import("./backendTLSPolicyPatch").BackendTLSPolicyPatch;
+export declare const BackendTLSPolicyPatch: typeof import("./backendTLSPolicyPatch").BackendTLSPolicyPatch;
+export { TLSRouteArgs } from "./tlsroute";
+export type TLSRoute = import("./tlsroute").TLSRoute;
+export declare const TLSRoute: typeof import("./tlsroute").TLSRoute;
+export { TLSRouteListArgs } from "./tlsrouteList";
+export type TLSRouteList = import("./tlsrouteList").TLSRouteList;
+export declare const TLSRouteList: typeof import("./tlsrouteList").TLSRouteList;
+export { TLSRoutePatchArgs } from "./tlsroutePatch";
+export type TLSRoutePatch = import("./tlsroutePatch").TLSRoutePatch;
+export declare const TLSRoutePatch: typeof import("./tlsroutePatch").TLSRoutePatch;
diff --git a/generated/crds/gateway/v1alpha3/index.js b/generated/crds/gateway/v1alpha3/index.js
new file mode 100644
index 0000000..a036ec1
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/index.js
@@ -0,0 +1,41 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TLSRoutePatch = exports.TLSRouteList = exports.TLSRoute = exports.BackendTLSPolicyPatch = exports.BackendTLSPolicyList = exports.BackendTLSPolicy = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+exports.BackendTLSPolicy = null;
+utilities.lazyLoad(exports, ["BackendTLSPolicy"], () => require("./backendTLSPolicy"));
+exports.BackendTLSPolicyList = null;
+utilities.lazyLoad(exports, ["BackendTLSPolicyList"], () => require("./backendTLSPolicyList"));
+exports.BackendTLSPolicyPatch = null;
+utilities.lazyLoad(exports, ["BackendTLSPolicyPatch"], () => require("./backendTLSPolicyPatch"));
+exports.TLSRoute = null;
+utilities.lazyLoad(exports, ["TLSRoute"], () => require("./tlsroute"));
+exports.TLSRouteList = null;
+utilities.lazyLoad(exports, ["TLSRouteList"], () => require("./tlsrouteList"));
+exports.TLSRoutePatch = null;
+utilities.lazyLoad(exports, ["TLSRoutePatch"], () => require("./tlsroutePatch"));
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name, type, urn) => {
+        switch (type) {
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy":
+                return new exports.BackendTLSPolicy(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyList":
+                return new exports.BackendTLSPolicyList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch":
+                return new exports.BackendTLSPolicyPatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute":
+                return new exports.TLSRoute(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList":
+                return new exports.TLSRouteList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch":
+                return new exports.TLSRoutePatch(name, undefined, { urn });
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.k8s.io/v1alpha3", _module);
diff --git a/generated/crds/gateway/v1alpha3/index.ts b/generated/crds/gateway/v1alpha3/index.ts
new file mode 100644
index 0000000..d9e4572
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/index.ts
@@ -0,0 +1,60 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../../utilities";
+
+// Export members:
+export { BackendTLSPolicyArgs } from "./backendTLSPolicy";
+export type BackendTLSPolicy = import("./backendTLSPolicy").BackendTLSPolicy;
+export const BackendTLSPolicy: typeof import("./backendTLSPolicy").BackendTLSPolicy = null as any;
+utilities.lazyLoad(exports, ["BackendTLSPolicy"], () => require("./backendTLSPolicy"));
+
+export { BackendTLSPolicyListArgs } from "./backendTLSPolicyList";
+export type BackendTLSPolicyList = import("./backendTLSPolicyList").BackendTLSPolicyList;
+export const BackendTLSPolicyList: typeof import("./backendTLSPolicyList").BackendTLSPolicyList = null as any;
+utilities.lazyLoad(exports, ["BackendTLSPolicyList"], () => require("./backendTLSPolicyList"));
+
+export { BackendTLSPolicyPatchArgs } from "./backendTLSPolicyPatch";
+export type BackendTLSPolicyPatch = import("./backendTLSPolicyPatch").BackendTLSPolicyPatch;
+export const BackendTLSPolicyPatch: typeof import("./backendTLSPolicyPatch").BackendTLSPolicyPatch = null as any;
+utilities.lazyLoad(exports, ["BackendTLSPolicyPatch"], () => require("./backendTLSPolicyPatch"));
+
+export { TLSRouteArgs } from "./tlsroute";
+export type TLSRoute = import("./tlsroute").TLSRoute;
+export const TLSRoute: typeof import("./tlsroute").TLSRoute = null as any;
+utilities.lazyLoad(exports, ["TLSRoute"], () => require("./tlsroute"));
+
+export { TLSRouteListArgs } from "./tlsrouteList";
+export type TLSRouteList = import("./tlsrouteList").TLSRouteList;
+export const TLSRouteList: typeof import("./tlsrouteList").TLSRouteList = null as any;
+utilities.lazyLoad(exports, ["TLSRouteList"], () => require("./tlsrouteList"));
+
+export { TLSRoutePatchArgs } from "./tlsroutePatch";
+export type TLSRoutePatch = import("./tlsroutePatch").TLSRoutePatch;
+export const TLSRoutePatch: typeof import("./tlsroutePatch").TLSRoutePatch = null as any;
+utilities.lazyLoad(exports, ["TLSRoutePatch"], () => require("./tlsroutePatch"));
+
+
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name: string, type: string, urn: string): pulumi.Resource => {
+        switch (type) {
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicy":
+                return new BackendTLSPolicy(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyList":
+                return new BackendTLSPolicyList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:BackendTLSPolicyPatch":
+                return new BackendTLSPolicyPatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute":
+                return new TLSRoute(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList":
+                return new TLSRouteList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch":
+                return new TLSRoutePatch(name, <any>undefined, { urn })
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.k8s.io/v1alpha3", _module)
diff --git a/generated/crds/gateway/v1alpha3/tlsroute.d.ts b/generated/crds/gateway/v1alpha3/tlsroute.d.ts
new file mode 100644
index 0000000..0fcb88c
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsroute.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+export declare class TLSRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRoute;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute";
+    /**
+     * Returns true if the given object is an instance of TLSRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TLSRoute;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha3.TLSRouteSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha3.TLSRouteStatus>;
+    /**
+     * Create a TLSRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRouteArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TLSRoute resource.
+ */
+export interface TLSRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha3/tlsroute.js b/generated/crds/gateway/v1alpha3/tlsroute.js
new file mode 100644
index 0000000..1d16c11
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsroute.js
@@ -0,0 +1,70 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TLSRoute = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+class TLSRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TLSRoute(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TLSRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRoute.__pulumiType;
+    }
+    /**
+     * Create a TLSRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["kind"] = "TLSRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(TLSRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TLSRoute = TLSRoute;
+/** @internal */
+TLSRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute';
diff --git a/generated/crds/gateway/v1alpha3/tlsroute.ts b/generated/crds/gateway/v1alpha3/tlsroute.ts
new file mode 100644
index 0000000..bb339be
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsroute.ts
@@ -0,0 +1,106 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+export class TLSRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRoute {
+        return new TLSRoute(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoute';
+
+    /**
+     * Returns true if the given object is an instance of TLSRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TLSRoute {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRoute.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha3.TLSRouteSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha3.TLSRouteStatus>;
+
+    /**
+     * Create a TLSRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRouteArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["kind"] = "TLSRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoute" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(TLSRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TLSRoute resource.
+ */
+export interface TLSRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1alpha3/tlsrouteList.d.ts b/generated/crds/gateway/v1alpha3/tlsrouteList.d.ts
new file mode 100644
index 0000000..010b8fe
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsrouteList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * TLSRouteList is a list of TLSRoute
+ */
+export declare class TLSRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRouteList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList";
+    /**
+     * Returns true if the given object is an instance of TLSRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TLSRouteList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1alpha3.TLSRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TLSRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a TLSRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRouteListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TLSRouteList resource.
+ */
+export interface TLSRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha3/tlsrouteList.js b/generated/crds/gateway/v1alpha3/tlsrouteList.js
new file mode 100644
index 0000000..41f3575
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsrouteList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TLSRouteList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * TLSRouteList is a list of TLSRoute
+ */
+class TLSRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TLSRouteList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TLSRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRouteList.__pulumiType;
+    }
+    /**
+     * Create a TLSRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "TLSRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TLSRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TLSRouteList = TLSRouteList;
+/** @internal */
+TLSRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList';
diff --git a/generated/crds/gateway/v1alpha3/tlsrouteList.ts b/generated/crds/gateway/v1alpha3/tlsrouteList.ts
new file mode 100644
index 0000000..20b35ce
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsrouteList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * TLSRouteList is a list of TLSRoute
+ */
+export class TLSRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRouteList {
+        return new TLSRouteList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRouteList';
+
+    /**
+     * Returns true if the given object is an instance of TLSRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TLSRouteList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRouteList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1alpha3.TLSRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TLSRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a TLSRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRouteListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "TLSRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(TLSRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TLSRouteList resource.
+ */
+export interface TLSRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * List of tlsroutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1alpha3/tlsroutePatch.d.ts b/generated/crds/gateway/v1alpha3/tlsroutePatch.d.ts
new file mode 100644
index 0000000..892a9fc
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsroutePatch.d.ts
@@ -0,0 +1,75 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+export declare class TLSRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRoutePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch";
+    /**
+     * Returns true if the given object is an instance of TLSRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is TLSRoutePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1alpha3.TLSRouteSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1alpha3.TLSRouteStatusPatch>;
+    /**
+     * Create a TLSRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRoutePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a TLSRoutePatch resource.
+ */
+export interface TLSRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1alpha3/tlsroutePatch.js b/generated/crds/gateway/v1alpha3/tlsroutePatch.js
new file mode 100644
index 0000000..c7151e4
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsroutePatch.js
@@ -0,0 +1,76 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TLSRoutePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+class TLSRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new TLSRoutePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of TLSRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRoutePatch.__pulumiType;
+    }
+    /**
+     * Create a TLSRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["kind"] = "TLSRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(TLSRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.TLSRoutePatch = TLSRoutePatch;
+/** @internal */
+TLSRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch';
diff --git a/generated/crds/gateway/v1alpha3/tlsroutePatch.ts b/generated/crds/gateway/v1alpha3/tlsroutePatch.ts
new file mode 100644
index 0000000..3e6b0ce
--- /dev/null
+++ b/generated/crds/gateway/v1alpha3/tlsroutePatch.ts
@@ -0,0 +1,112 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * The TLSRoute resource is similar to TCPRoute, but can be configured
+ * to match against TLS-specific metadata. This allows more flexibility
+ * in matching streams for a given TLS listener.
+ *
+ * If you need to forward traffic to a single target for a TLS listener, you
+ * could choose to use a TCPRoute with a TLS listener.
+ */
+export class TLSRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing TLSRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): TLSRoutePatch {
+        return new TLSRoutePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1alpha3:TLSRoutePatch';
+
+    /**
+     * Returns true if the given object is an instance of TLSRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is TLSRoutePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === TLSRoutePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1alpha3.TLSRouteSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1alpha3.TLSRouteStatusPatch>;
+
+    /**
+     * Create a TLSRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: TLSRoutePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1alpha3";
+            resourceInputs["kind"] = "TLSRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1alpha2:TLSRoutePatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(TLSRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a TLSRoutePatch resource.
+ */
+export interface TLSRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"TLSRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1beta1/gateway.d.ts b/generated/crds/gateway/v1beta1/gateway.d.ts
new file mode 100644
index 0000000..35a8a26
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gateway.d.ts
@@ -0,0 +1,65 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+export declare class Gateway extends pulumi.CustomResource {
+    /**
+     * Get an existing Gateway resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Gateway;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:Gateway";
+    /**
+     * Returns true if the given object is an instance of Gateway.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Gateway;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1beta1.GatewaySpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1beta1.GatewayStatus>;
+    /**
+     * Create a Gateway resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a Gateway resource.
+ */
+export interface GatewayArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpec>;
+}
diff --git a/generated/crds/gateway/v1beta1/gateway.js b/generated/crds/gateway/v1beta1/gateway.js
new file mode 100644
index 0000000..7342d68
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gateway.js
@@ -0,0 +1,66 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Gateway = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+class Gateway extends pulumi.CustomResource {
+    /**
+     * Get an existing Gateway resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new Gateway(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of Gateway.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Gateway.__pulumiType;
+    }
+    /**
+     * Create a Gateway resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "Gateway";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:Gateway" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(Gateway.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.Gateway = Gateway;
+/** @internal */
+Gateway.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:Gateway';
diff --git a/generated/crds/gateway/v1beta1/gateway.ts b/generated/crds/gateway/v1beta1/gateway.ts
new file mode 100644
index 0000000..948d7d8
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gateway.ts
@@ -0,0 +1,102 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+export class Gateway extends pulumi.CustomResource {
+    /**
+     * Get an existing Gateway resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): Gateway {
+        return new Gateway(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:Gateway';
+
+    /**
+     * Returns true if the given object is an instance of Gateway.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Gateway {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === Gateway.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1beta1.GatewaySpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1beta1.GatewayStatus>;
+
+    /**
+     * Create a Gateway resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "Gateway";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:Gateway" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(Gateway.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a Gateway resource.
+ */
+export interface GatewayArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpec>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayClass.d.ts b/generated/crds/gateway/v1beta1/gatewayClass.d.ts
new file mode 100644
index 0000000..ea03fc2
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClass.d.ts
@@ -0,0 +1,80 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+export declare class GatewayClass extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClass resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClass;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClass";
+    /**
+     * Returns true if the given object is an instance of GatewayClass.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayClass;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1beta1.GatewayClassSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1beta1.GatewayClassStatus>;
+    /**
+     * Create a GatewayClass resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayClass resource.
+ */
+export interface GatewayClassArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpec>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayClass.js b/generated/crds/gateway/v1beta1/gatewayClass.js
new file mode 100644
index 0000000..73717e2
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClass.js
@@ -0,0 +1,81 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayClass = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+class GatewayClass extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClass resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayClass(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayClass.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClass.__pulumiType;
+    }
+    /**
+     * Create a GatewayClass resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "GatewayClass";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GatewayClass" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayClass.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayClass = GatewayClass;
+/** @internal */
+GatewayClass.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClass';
diff --git a/generated/crds/gateway/v1beta1/gatewayClass.ts b/generated/crds/gateway/v1beta1/gatewayClass.ts
new file mode 100644
index 0000000..3874985
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClass.ts
@@ -0,0 +1,117 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+export class GatewayClass extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClass resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClass {
+        return new GatewayClass(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClass';
+
+    /**
+     * Returns true if the given object is an instance of GatewayClass.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayClass {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClass.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1beta1.GatewayClassSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1beta1.GatewayClassStatus>;
+
+    /**
+     * Create a GatewayClass resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "GatewayClass";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GatewayClass" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayClass.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayClass resource.
+ */
+export interface GatewayClassArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpec>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayClassList.d.ts b/generated/crds/gateway/v1beta1/gatewayClassList.d.ts
new file mode 100644
index 0000000..1d75173
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClassList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * GatewayClassList is a list of GatewayClass
+ */
+export declare class GatewayClassList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClassList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassList";
+    /**
+     * Returns true if the given object is an instance of GatewayClassList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayClassList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of gatewayclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1beta1.GatewayClass[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GatewayClassList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a GatewayClassList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayClassList resource.
+ */
+export interface GatewayClassListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of gatewayclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayClass>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClassList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayClassList.js b/generated/crds/gateway/v1beta1/gatewayClassList.js
new file mode 100644
index 0000000..eac365c
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClassList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayClassList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * GatewayClassList is a list of GatewayClass
+ */
+class GatewayClassList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayClassList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayClassList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClassList.__pulumiType;
+    }
+    /**
+     * Create a GatewayClassList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GatewayClassList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GatewayClassList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayClassList = GatewayClassList;
+/** @internal */
+GatewayClassList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassList';
diff --git a/generated/crds/gateway/v1beta1/gatewayClassList.ts b/generated/crds/gateway/v1beta1/gatewayClassList.ts
new file mode 100644
index 0000000..35b038b
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClassList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * GatewayClassList is a list of GatewayClass
+ */
+export class GatewayClassList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClassList {
+        return new GatewayClassList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassList';
+
+    /**
+     * Returns true if the given object is an instance of GatewayClassList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayClassList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClassList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of gatewayclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1beta1.GatewayClass[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GatewayClassList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a GatewayClassList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GatewayClassList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GatewayClassList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayClassList resource.
+ */
+export interface GatewayClassListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of gatewayclasses. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayClass>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClassList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayClassPatch.d.ts b/generated/crds/gateway/v1beta1/gatewayClassPatch.d.ts
new file mode 100644
index 0000000..7caacd7
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClassPatch.d.ts
@@ -0,0 +1,86 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+export declare class GatewayClassPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClassPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassPatch";
+    /**
+     * Returns true if the given object is an instance of GatewayClassPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayClassPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1beta1.GatewayClassSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1beta1.GatewayClassStatusPatch>;
+    /**
+     * Create a GatewayClassPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayClassPatch resource.
+ */
+export interface GatewayClassPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayClassPatch.js b/generated/crds/gateway/v1beta1/gatewayClassPatch.js
new file mode 100644
index 0000000..aeb0994
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClassPatch.js
@@ -0,0 +1,87 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayClassPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+class GatewayClassPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayClassPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayClassPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClassPatch.__pulumiType;
+    }
+    /**
+     * Create a GatewayClassPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "GatewayClass";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GatewayClassPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayClassPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayClassPatch = GatewayClassPatch;
+/** @internal */
+GatewayClassPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassPatch';
diff --git a/generated/crds/gateway/v1beta1/gatewayClassPatch.ts b/generated/crds/gateway/v1beta1/gatewayClassPatch.ts
new file mode 100644
index 0000000..3f83aad
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayClassPatch.ts
@@ -0,0 +1,123 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * GatewayClass describes a class of Gateways available to the user for creating
+ * Gateway resources.
+ *
+ * It is recommended that this resource be used as a template for Gateways. This
+ * means that a Gateway is based on the state of the GatewayClass at the time it
+ * was created and changes to the GatewayClass or associated parameters are not
+ * propagated down to existing Gateways. This recommendation is intended to
+ * limit the blast radius of changes to GatewayClass or associated parameters.
+ * If implementations choose to propagate GatewayClass changes to existing
+ * Gateways, that MUST be clearly documented by the implementation.
+ *
+ * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ * associated GatewayClass. This ensures that a GatewayClass associated with a
+ * Gateway is not deleted while in use.
+ *
+ * GatewayClass is a Cluster level resource.
+ */
+export class GatewayClassPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayClassPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayClassPatch {
+        return new GatewayClassPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassPatch';
+
+    /**
+     * Returns true if the given object is an instance of GatewayClassPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayClassPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayClassPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1beta1.GatewayClassSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1beta1.GatewayClassStatusPatch>;
+
+    /**
+     * Create a GatewayClassPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayClassPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "GatewayClass";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GatewayClassPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayClassPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayClassPatch resource.
+ */
+export interface GatewayClassPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayClass">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayList.d.ts b/generated/crds/gateway/v1beta1/gatewayList.d.ts
new file mode 100644
index 0000000..a145067
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * GatewayList is a list of Gateway
+ */
+export declare class GatewayList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayList";
+    /**
+     * Returns true if the given object is an instance of GatewayList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of gateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1beta1.Gateway[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"GatewayList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a GatewayList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayList resource.
+ */
+export interface GatewayListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of gateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.Gateway>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayList.js b/generated/crds/gateway/v1beta1/gatewayList.js
new file mode 100644
index 0000000..7ed84f5
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * GatewayList is a list of Gateway
+ */
+class GatewayList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayList.__pulumiType;
+    }
+    /**
+     * Create a GatewayList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GatewayList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GatewayList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayList = GatewayList;
+/** @internal */
+GatewayList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayList';
diff --git a/generated/crds/gateway/v1beta1/gatewayList.ts b/generated/crds/gateway/v1beta1/gatewayList.ts
new file mode 100644
index 0000000..fe9ec06
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * GatewayList is a list of Gateway
+ */
+export class GatewayList extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayList {
+        return new GatewayList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayList';
+
+    /**
+     * Returns true if the given object is an instance of GatewayList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of gateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1beta1.Gateway[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"GatewayList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a GatewayList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "GatewayList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(GatewayList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayList resource.
+ */
+export interface GatewayListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of gateways. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.Gateway>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"GatewayList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayPatch.d.ts b/generated/crds/gateway/v1beta1/gatewayPatch.d.ts
new file mode 100644
index 0000000..da34d2c
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayPatch.d.ts
@@ -0,0 +1,71 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+export declare class GatewayPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayPatch";
+    /**
+     * Returns true if the given object is an instance of GatewayPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is GatewayPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1beta1.GatewaySpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1beta1.GatewayStatusPatch>;
+    /**
+     * Create a GatewayPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a GatewayPatch resource.
+ */
+export interface GatewayPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1beta1/gatewayPatch.js b/generated/crds/gateway/v1beta1/gatewayPatch.js
new file mode 100644
index 0000000..68f4775
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayPatch.js
@@ -0,0 +1,72 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GatewayPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+class GatewayPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new GatewayPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of GatewayPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayPatch.__pulumiType;
+    }
+    /**
+     * Create a GatewayPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "Gateway";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GatewayPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.GatewayPatch = GatewayPatch;
+/** @internal */
+GatewayPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayPatch';
diff --git a/generated/crds/gateway/v1beta1/gatewayPatch.ts b/generated/crds/gateway/v1beta1/gatewayPatch.ts
new file mode 100644
index 0000000..75fe5ec
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/gatewayPatch.ts
@@ -0,0 +1,108 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * Gateway represents an instance of a service-traffic handling infrastructure
+ * by binding Listeners to a set of IP addresses.
+ */
+export class GatewayPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing GatewayPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): GatewayPatch {
+        return new GatewayPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:GatewayPatch';
+
+    /**
+     * Returns true if the given object is an instance of GatewayPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is GatewayPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === GatewayPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1beta1.GatewaySpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1beta1.GatewayStatusPatch>;
+
+    /**
+     * Create a GatewayPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: GatewayPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "Gateway";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:GatewayPatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(GatewayPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a GatewayPatch resource.
+ */
+export interface GatewayPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"Gateway">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecPatch>;
+}
diff --git a/generated/crds/gateway/v1beta1/httproute.d.ts b/generated/crds/gateway/v1beta1/httproute.d.ts
new file mode 100644
index 0000000..f8db09b
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httproute.d.ts
@@ -0,0 +1,67 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+export declare class HTTPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRoute;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoute";
+    /**
+     * Returns true if the given object is an instance of HTTPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is HTTPRoute;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1beta1.HTTPRouteSpec>;
+    readonly status: pulumi.Output<outputs.gateway.v1beta1.HTTPRouteStatus>;
+    /**
+     * Create a HTTPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRouteArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a HTTPRoute resource.
+ */
+export interface HTTPRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1beta1/httproute.js b/generated/crds/gateway/v1beta1/httproute.js
new file mode 100644
index 0000000..6892c67
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httproute.js
@@ -0,0 +1,68 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HTTPRoute = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+class HTTPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new HTTPRoute(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of HTTPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRoute.__pulumiType;
+    }
+    /**
+     * Create a HTTPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "HTTPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:HTTPRoute" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(HTTPRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.HTTPRoute = HTTPRoute;
+/** @internal */
+HTTPRoute.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoute';
diff --git a/generated/crds/gateway/v1beta1/httproute.ts b/generated/crds/gateway/v1beta1/httproute.ts
new file mode 100644
index 0000000..dab9e93
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httproute.ts
@@ -0,0 +1,104 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+export class HTTPRoute extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoute resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRoute {
+        return new HTTPRoute(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoute';
+
+    /**
+     * Returns true if the given object is an instance of HTTPRoute.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is HTTPRoute {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRoute.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1beta1.HTTPRouteSpec>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1beta1.HTTPRouteStatus>;
+
+    /**
+     * Create a HTTPRoute resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRouteArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "HTTPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:HTTPRoute" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(HTTPRoute.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a HTTPRoute resource.
+ */
+export interface HTTPRouteArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpec>;
+}
diff --git a/generated/crds/gateway/v1beta1/httprouteList.d.ts b/generated/crds/gateway/v1beta1/httprouteList.d.ts
new file mode 100644
index 0000000..4807858
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httprouteList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * HTTPRouteList is a list of HTTPRoute
+ */
+export declare class HTTPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRouteList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRouteList";
+    /**
+     * Returns true if the given object is an instance of HTTPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is HTTPRouteList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of httproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1beta1.HTTPRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"HTTPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a HTTPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRouteListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a HTTPRouteList resource.
+ */
+export interface HTTPRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of httproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1beta1/httprouteList.js b/generated/crds/gateway/v1beta1/httprouteList.js
new file mode 100644
index 0000000..6c7c9f5
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httprouteList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HTTPRouteList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * HTTPRouteList is a list of HTTPRoute
+ */
+class HTTPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new HTTPRouteList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of HTTPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRouteList.__pulumiType;
+    }
+    /**
+     * Create a HTTPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "HTTPRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(HTTPRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.HTTPRouteList = HTTPRouteList;
+/** @internal */
+HTTPRouteList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRouteList';
diff --git a/generated/crds/gateway/v1beta1/httprouteList.ts b/generated/crds/gateway/v1beta1/httprouteList.ts
new file mode 100644
index 0000000..019f953
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httprouteList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * HTTPRouteList is a list of HTTPRoute
+ */
+export class HTTPRouteList extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRouteList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRouteList {
+        return new HTTPRouteList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRouteList';
+
+    /**
+     * Returns true if the given object is an instance of HTTPRouteList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is HTTPRouteList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRouteList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of httproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1beta1.HTTPRoute[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"HTTPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a HTTPRouteList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRouteListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "HTTPRouteList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(HTTPRouteList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a HTTPRouteList resource.
+ */
+export interface HTTPRouteListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of httproutes. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRoute>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRouteList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1beta1/httproutePatch.d.ts b/generated/crds/gateway/v1beta1/httproutePatch.d.ts
new file mode 100644
index 0000000..c2cda02
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httproutePatch.d.ts
@@ -0,0 +1,73 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+export declare class HTTPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRoutePatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoutePatch";
+    /**
+     * Returns true if the given object is an instance of HTTPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is HTTPRoutePatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1beta1.HTTPRouteSpecPatch>;
+    readonly status: pulumi.Output<outputs.gateway.v1beta1.HTTPRouteStatusPatch>;
+    /**
+     * Create a HTTPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRoutePatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a HTTPRoutePatch resource.
+ */
+export interface HTTPRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1beta1/httproutePatch.js b/generated/crds/gateway/v1beta1/httproutePatch.js
new file mode 100644
index 0000000..ee98cdd
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httproutePatch.js
@@ -0,0 +1,74 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HTTPRoutePatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+class HTTPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new HTTPRoutePatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of HTTPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRoutePatch.__pulumiType;
+    }
+    /**
+     * Create a HTTPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "HTTPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:HTTPRoutePatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(HTTPRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.HTTPRoutePatch = HTTPRoutePatch;
+/** @internal */
+HTTPRoutePatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoutePatch';
diff --git a/generated/crds/gateway/v1beta1/httproutePatch.ts b/generated/crds/gateway/v1beta1/httproutePatch.ts
new file mode 100644
index 0000000..70cbf43
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/httproutePatch.ts
@@ -0,0 +1,110 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * HTTPRoute provides a way to route HTTP requests. This includes the capability
+ * to match requests by hostname, path, header, or query param. Filters can be
+ * used to specify additional processing steps. Backends specify where matching
+ * requests should be routed.
+ */
+export class HTTPRoutePatch extends pulumi.CustomResource {
+    /**
+     * Get an existing HTTPRoutePatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): HTTPRoutePatch {
+        return new HTTPRoutePatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoutePatch';
+
+    /**
+     * Returns true if the given object is an instance of HTTPRoutePatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is HTTPRoutePatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === HTTPRoutePatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1beta1.HTTPRouteSpecPatch>;
+    public /*out*/ readonly status!: pulumi.Output<outputs.gateway.v1beta1.HTTPRouteStatusPatch>;
+
+    /**
+     * Create a HTTPRoutePatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: HTTPRoutePatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "HTTPRoute";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+            resourceInputs["status"] = undefined /*out*/;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+            resourceInputs["status"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const aliasOpts = { aliases: [{ type: "kubernetes:gateway.networking.k8s.io/v1:HTTPRoutePatch" }] };
+        opts = pulumi.mergeOptions(opts, aliasOpts);
+        super(HTTPRoutePatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a HTTPRoutePatch resource.
+ */
+export interface HTTPRoutePatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"HTTPRoute">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1beta1/index.d.ts b/generated/crds/gateway/v1beta1/index.d.ts
new file mode 100644
index 0000000..8bf18ab
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/index.d.ts
@@ -0,0 +1,36 @@
+export { GatewayArgs } from "./gateway";
+export type Gateway = import("./gateway").Gateway;
+export declare const Gateway: typeof import("./gateway").Gateway;
+export { GatewayClassArgs } from "./gatewayClass";
+export type GatewayClass = import("./gatewayClass").GatewayClass;
+export declare const GatewayClass: typeof import("./gatewayClass").GatewayClass;
+export { GatewayClassListArgs } from "./gatewayClassList";
+export type GatewayClassList = import("./gatewayClassList").GatewayClassList;
+export declare const GatewayClassList: typeof import("./gatewayClassList").GatewayClassList;
+export { GatewayClassPatchArgs } from "./gatewayClassPatch";
+export type GatewayClassPatch = import("./gatewayClassPatch").GatewayClassPatch;
+export declare const GatewayClassPatch: typeof import("./gatewayClassPatch").GatewayClassPatch;
+export { GatewayListArgs } from "./gatewayList";
+export type GatewayList = import("./gatewayList").GatewayList;
+export declare const GatewayList: typeof import("./gatewayList").GatewayList;
+export { GatewayPatchArgs } from "./gatewayPatch";
+export type GatewayPatch = import("./gatewayPatch").GatewayPatch;
+export declare const GatewayPatch: typeof import("./gatewayPatch").GatewayPatch;
+export { HTTPRouteArgs } from "./httproute";
+export type HTTPRoute = import("./httproute").HTTPRoute;
+export declare const HTTPRoute: typeof import("./httproute").HTTPRoute;
+export { HTTPRouteListArgs } from "./httprouteList";
+export type HTTPRouteList = import("./httprouteList").HTTPRouteList;
+export declare const HTTPRouteList: typeof import("./httprouteList").HTTPRouteList;
+export { HTTPRoutePatchArgs } from "./httproutePatch";
+export type HTTPRoutePatch = import("./httproutePatch").HTTPRoutePatch;
+export declare const HTTPRoutePatch: typeof import("./httproutePatch").HTTPRoutePatch;
+export { ReferenceGrantArgs } from "./referenceGrant";
+export type ReferenceGrant = import("./referenceGrant").ReferenceGrant;
+export declare const ReferenceGrant: typeof import("./referenceGrant").ReferenceGrant;
+export { ReferenceGrantListArgs } from "./referenceGrantList";
+export type ReferenceGrantList = import("./referenceGrantList").ReferenceGrantList;
+export declare const ReferenceGrantList: typeof import("./referenceGrantList").ReferenceGrantList;
+export { ReferenceGrantPatchArgs } from "./referenceGrantPatch";
+export type ReferenceGrantPatch = import("./referenceGrantPatch").ReferenceGrantPatch;
+export declare const ReferenceGrantPatch: typeof import("./referenceGrantPatch").ReferenceGrantPatch;
diff --git a/generated/crds/gateway/v1beta1/index.js b/generated/crds/gateway/v1beta1/index.js
new file mode 100644
index 0000000..f9d0b1f
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/index.js
@@ -0,0 +1,65 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ReferenceGrantPatch = exports.ReferenceGrantList = exports.ReferenceGrant = exports.HTTPRoutePatch = exports.HTTPRouteList = exports.HTTPRoute = exports.GatewayPatch = exports.GatewayList = exports.GatewayClassPatch = exports.GatewayClassList = exports.GatewayClass = exports.Gateway = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+exports.Gateway = null;
+utilities.lazyLoad(exports, ["Gateway"], () => require("./gateway"));
+exports.GatewayClass = null;
+utilities.lazyLoad(exports, ["GatewayClass"], () => require("./gatewayClass"));
+exports.GatewayClassList = null;
+utilities.lazyLoad(exports, ["GatewayClassList"], () => require("./gatewayClassList"));
+exports.GatewayClassPatch = null;
+utilities.lazyLoad(exports, ["GatewayClassPatch"], () => require("./gatewayClassPatch"));
+exports.GatewayList = null;
+utilities.lazyLoad(exports, ["GatewayList"], () => require("./gatewayList"));
+exports.GatewayPatch = null;
+utilities.lazyLoad(exports, ["GatewayPatch"], () => require("./gatewayPatch"));
+exports.HTTPRoute = null;
+utilities.lazyLoad(exports, ["HTTPRoute"], () => require("./httproute"));
+exports.HTTPRouteList = null;
+utilities.lazyLoad(exports, ["HTTPRouteList"], () => require("./httprouteList"));
+exports.HTTPRoutePatch = null;
+utilities.lazyLoad(exports, ["HTTPRoutePatch"], () => require("./httproutePatch"));
+exports.ReferenceGrant = null;
+utilities.lazyLoad(exports, ["ReferenceGrant"], () => require("./referenceGrant"));
+exports.ReferenceGrantList = null;
+utilities.lazyLoad(exports, ["ReferenceGrantList"], () => require("./referenceGrantList"));
+exports.ReferenceGrantPatch = null;
+utilities.lazyLoad(exports, ["ReferenceGrantPatch"], () => require("./referenceGrantPatch"));
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name, type, urn) => {
+        switch (type) {
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:Gateway":
+                return new exports.Gateway(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClass":
+                return new exports.GatewayClass(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassList":
+                return new exports.GatewayClassList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassPatch":
+                return new exports.GatewayClassPatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayList":
+                return new exports.GatewayList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayPatch":
+                return new exports.GatewayPatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoute":
+                return new exports.HTTPRoute(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRouteList":
+                return new exports.HTTPRouteList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoutePatch":
+                return new exports.HTTPRoutePatch(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrant":
+                return new exports.ReferenceGrant(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantList":
+                return new exports.ReferenceGrantList(name, undefined, { urn });
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantPatch":
+                return new exports.ReferenceGrantPatch(name, undefined, { urn });
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.k8s.io/v1beta1", _module);
diff --git a/generated/crds/gateway/v1beta1/index.ts b/generated/crds/gateway/v1beta1/index.ts
new file mode 100644
index 0000000..052e739
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/index.ts
@@ -0,0 +1,102 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "../../utilities";
+
+// Export members:
+export { GatewayArgs } from "./gateway";
+export type Gateway = import("./gateway").Gateway;
+export const Gateway: typeof import("./gateway").Gateway = null as any;
+utilities.lazyLoad(exports, ["Gateway"], () => require("./gateway"));
+
+export { GatewayClassArgs } from "./gatewayClass";
+export type GatewayClass = import("./gatewayClass").GatewayClass;
+export const GatewayClass: typeof import("./gatewayClass").GatewayClass = null as any;
+utilities.lazyLoad(exports, ["GatewayClass"], () => require("./gatewayClass"));
+
+export { GatewayClassListArgs } from "./gatewayClassList";
+export type GatewayClassList = import("./gatewayClassList").GatewayClassList;
+export const GatewayClassList: typeof import("./gatewayClassList").GatewayClassList = null as any;
+utilities.lazyLoad(exports, ["GatewayClassList"], () => require("./gatewayClassList"));
+
+export { GatewayClassPatchArgs } from "./gatewayClassPatch";
+export type GatewayClassPatch = import("./gatewayClassPatch").GatewayClassPatch;
+export const GatewayClassPatch: typeof import("./gatewayClassPatch").GatewayClassPatch = null as any;
+utilities.lazyLoad(exports, ["GatewayClassPatch"], () => require("./gatewayClassPatch"));
+
+export { GatewayListArgs } from "./gatewayList";
+export type GatewayList = import("./gatewayList").GatewayList;
+export const GatewayList: typeof import("./gatewayList").GatewayList = null as any;
+utilities.lazyLoad(exports, ["GatewayList"], () => require("./gatewayList"));
+
+export { GatewayPatchArgs } from "./gatewayPatch";
+export type GatewayPatch = import("./gatewayPatch").GatewayPatch;
+export const GatewayPatch: typeof import("./gatewayPatch").GatewayPatch = null as any;
+utilities.lazyLoad(exports, ["GatewayPatch"], () => require("./gatewayPatch"));
+
+export { HTTPRouteArgs } from "./httproute";
+export type HTTPRoute = import("./httproute").HTTPRoute;
+export const HTTPRoute: typeof import("./httproute").HTTPRoute = null as any;
+utilities.lazyLoad(exports, ["HTTPRoute"], () => require("./httproute"));
+
+export { HTTPRouteListArgs } from "./httprouteList";
+export type HTTPRouteList = import("./httprouteList").HTTPRouteList;
+export const HTTPRouteList: typeof import("./httprouteList").HTTPRouteList = null as any;
+utilities.lazyLoad(exports, ["HTTPRouteList"], () => require("./httprouteList"));
+
+export { HTTPRoutePatchArgs } from "./httproutePatch";
+export type HTTPRoutePatch = import("./httproutePatch").HTTPRoutePatch;
+export const HTTPRoutePatch: typeof import("./httproutePatch").HTTPRoutePatch = null as any;
+utilities.lazyLoad(exports, ["HTTPRoutePatch"], () => require("./httproutePatch"));
+
+export { ReferenceGrantArgs } from "./referenceGrant";
+export type ReferenceGrant = import("./referenceGrant").ReferenceGrant;
+export const ReferenceGrant: typeof import("./referenceGrant").ReferenceGrant = null as any;
+utilities.lazyLoad(exports, ["ReferenceGrant"], () => require("./referenceGrant"));
+
+export { ReferenceGrantListArgs } from "./referenceGrantList";
+export type ReferenceGrantList = import("./referenceGrantList").ReferenceGrantList;
+export const ReferenceGrantList: typeof import("./referenceGrantList").ReferenceGrantList = null as any;
+utilities.lazyLoad(exports, ["ReferenceGrantList"], () => require("./referenceGrantList"));
+
+export { ReferenceGrantPatchArgs } from "./referenceGrantPatch";
+export type ReferenceGrantPatch = import("./referenceGrantPatch").ReferenceGrantPatch;
+export const ReferenceGrantPatch: typeof import("./referenceGrantPatch").ReferenceGrantPatch = null as any;
+utilities.lazyLoad(exports, ["ReferenceGrantPatch"], () => require("./referenceGrantPatch"));
+
+
+const _module = {
+    version: utilities.getVersion(),
+    construct: (name: string, type: string, urn: string): pulumi.Resource => {
+        switch (type) {
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:Gateway":
+                return new Gateway(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClass":
+                return new GatewayClass(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassList":
+                return new GatewayClassList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayClassPatch":
+                return new GatewayClassPatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayList":
+                return new GatewayList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:GatewayPatch":
+                return new GatewayPatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoute":
+                return new HTTPRoute(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRouteList":
+                return new HTTPRouteList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:HTTPRoutePatch":
+                return new HTTPRoutePatch(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrant":
+                return new ReferenceGrant(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantList":
+                return new ReferenceGrantList(name, <any>undefined, { urn })
+            case "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantPatch":
+                return new ReferenceGrantPatch(name, <any>undefined, { urn })
+            default:
+                throw new Error(`unknown resource type ${type}`);
+        }
+    },
+};
+pulumi.runtime.registerResourceModule("crds", "gateway.networking.k8s.io/v1beta1", _module)
diff --git a/generated/crds/gateway/v1beta1/referenceGrant.d.ts b/generated/crds/gateway/v1beta1/referenceGrant.d.ts
new file mode 100644
index 0000000..4922c8e
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrant.d.ts
@@ -0,0 +1,78 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * ReferenceGrant identifies kinds of resources in other namespaces that are
+ * trusted to reference the specified kinds of resources in the same namespace
+ * as the policy.
+ *
+ * Each ReferenceGrant can be used to represent a unique trust relationship.
+ * Additional Reference Grants can be used to add to the set of trusted
+ * sources of inbound references for the namespace they are defined within.
+ *
+ * All cross-namespace references in Gateway API (with the exception of cross-namespace
+ * Gateway-route attachment) require a ReferenceGrant.
+ *
+ * ReferenceGrant is a form of runtime verification allowing users to assert
+ * which cross-namespace object references are permitted. Implementations that
+ * support ReferenceGrant MUST NOT permit cross-namespace references which have
+ * no grant, and MUST respond to the removal of a grant by revoking the access
+ * that the grant allowed.
+ */
+export declare class ReferenceGrant extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrant resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ReferenceGrant;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrant";
+    /**
+     * Returns true if the given object is an instance of ReferenceGrant.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is ReferenceGrant;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"ReferenceGrant">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    readonly spec: pulumi.Output<outputs.gateway.v1beta1.ReferenceGrantSpec>;
+    /**
+     * Create a ReferenceGrant resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ReferenceGrantArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a ReferenceGrant resource.
+ */
+export interface ReferenceGrantArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ReferenceGrant">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpec>;
+}
diff --git a/generated/crds/gateway/v1beta1/referenceGrant.js b/generated/crds/gateway/v1beta1/referenceGrant.js
new file mode 100644
index 0000000..e951a81
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrant.js
@@ -0,0 +1,76 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ReferenceGrant = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * ReferenceGrant identifies kinds of resources in other namespaces that are
+ * trusted to reference the specified kinds of resources in the same namespace
+ * as the policy.
+ *
+ * Each ReferenceGrant can be used to represent a unique trust relationship.
+ * Additional Reference Grants can be used to add to the set of trusted
+ * sources of inbound references for the namespace they are defined within.
+ *
+ * All cross-namespace references in Gateway API (with the exception of cross-namespace
+ * Gateway-route attachment) require a ReferenceGrant.
+ *
+ * ReferenceGrant is a form of runtime verification allowing users to assert
+ * which cross-namespace object references are permitted. Implementations that
+ * support ReferenceGrant MUST NOT permit cross-namespace references which have
+ * no grant, and MUST respond to the removal of a grant by revoking the access
+ * that the grant allowed.
+ */
+class ReferenceGrant extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrant resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new ReferenceGrant(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of ReferenceGrant.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ReferenceGrant.__pulumiType;
+    }
+    /**
+     * Create a ReferenceGrant resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "ReferenceGrant";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ReferenceGrant.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.ReferenceGrant = ReferenceGrant;
+/** @internal */
+ReferenceGrant.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrant';
diff --git a/generated/crds/gateway/v1beta1/referenceGrant.ts b/generated/crds/gateway/v1beta1/referenceGrant.ts
new file mode 100644
index 0000000..99c6e64
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrant.ts
@@ -0,0 +1,111 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * ReferenceGrant identifies kinds of resources in other namespaces that are
+ * trusted to reference the specified kinds of resources in the same namespace
+ * as the policy.
+ *
+ * Each ReferenceGrant can be used to represent a unique trust relationship.
+ * Additional Reference Grants can be used to add to the set of trusted
+ * sources of inbound references for the namespace they are defined within.
+ *
+ * All cross-namespace references in Gateway API (with the exception of cross-namespace
+ * Gateway-route attachment) require a ReferenceGrant.
+ *
+ * ReferenceGrant is a form of runtime verification allowing users to assert
+ * which cross-namespace object references are permitted. Implementations that
+ * support ReferenceGrant MUST NOT permit cross-namespace references which have
+ * no grant, and MUST respond to the removal of a grant by revoking the access
+ * that the grant allowed.
+ */
+export class ReferenceGrant extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrant resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ReferenceGrant {
+        return new ReferenceGrant(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrant';
+
+    /**
+     * Returns true if the given object is an instance of ReferenceGrant.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ReferenceGrant {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ReferenceGrant.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"ReferenceGrant">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMeta>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1beta1.ReferenceGrantSpec>;
+
+    /**
+     * Create a ReferenceGrant resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ReferenceGrantArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "ReferenceGrant";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ReferenceGrant.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a ReferenceGrant resource.
+ */
+export interface ReferenceGrantArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ReferenceGrant">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpec>;
+}
diff --git a/generated/crds/gateway/v1beta1/referenceGrantList.d.ts b/generated/crds/gateway/v1beta1/referenceGrantList.d.ts
new file mode 100644
index 0000000..2e152b6
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrantList.d.ts
@@ -0,0 +1,69 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * ReferenceGrantList is a list of ReferenceGrant
+ */
+export declare class ReferenceGrantList extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrantList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ReferenceGrantList;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantList";
+    /**
+     * Returns true if the given object is an instance of ReferenceGrantList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is ReferenceGrantList;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of referencegrants. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    readonly items: pulumi.Output<outputs.gateway.v1beta1.ReferenceGrant[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"ReferenceGrantList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ListMeta>;
+    /**
+     * Create a ReferenceGrantList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ReferenceGrantListArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a ReferenceGrantList resource.
+ */
+export interface ReferenceGrantListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of referencegrants. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrant>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ReferenceGrantList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1beta1/referenceGrantList.js b/generated/crds/gateway/v1beta1/referenceGrantList.js
new file mode 100644
index 0000000..0cb0c94
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrantList.js
@@ -0,0 +1,64 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ReferenceGrantList = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * ReferenceGrantList is a list of ReferenceGrant
+ */
+class ReferenceGrantList extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrantList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new ReferenceGrantList(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of ReferenceGrantList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ReferenceGrantList.__pulumiType;
+    }
+    /**
+     * Create a ReferenceGrantList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "ReferenceGrantList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ReferenceGrantList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.ReferenceGrantList = ReferenceGrantList;
+/** @internal */
+ReferenceGrantList.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantList';
diff --git a/generated/crds/gateway/v1beta1/referenceGrantList.ts b/generated/crds/gateway/v1beta1/referenceGrantList.ts
new file mode 100644
index 0000000..3ac5686
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrantList.ts
@@ -0,0 +1,105 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * ReferenceGrantList is a list of ReferenceGrant
+ */
+export class ReferenceGrantList extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrantList resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ReferenceGrantList {
+        return new ReferenceGrantList(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantList';
+
+    /**
+     * Returns true if the given object is an instance of ReferenceGrantList.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ReferenceGrantList {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ReferenceGrantList.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of referencegrants. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    public readonly items!: pulumi.Output<outputs.gateway.v1beta1.ReferenceGrant[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"ReferenceGrantList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ListMeta>;
+
+    /**
+     * Create a ReferenceGrantList resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ReferenceGrantListArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            if ((!args || args.items === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'items'");
+            }
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["items"] = args ? args.items : undefined;
+            resourceInputs["kind"] = "ReferenceGrantList";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["items"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ReferenceGrantList.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a ReferenceGrantList resource.
+ */
+export interface ReferenceGrantListArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * List of referencegrants. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md
+     */
+    items: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrant>[]>;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ReferenceGrantList">;
+    /**
+     * Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ListMeta>;
+}
diff --git a/generated/crds/gateway/v1beta1/referenceGrantPatch.d.ts b/generated/crds/gateway/v1beta1/referenceGrantPatch.d.ts
new file mode 100644
index 0000000..48c92fc
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrantPatch.d.ts
@@ -0,0 +1,84 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * ReferenceGrant identifies kinds of resources in other namespaces that are
+ * trusted to reference the specified kinds of resources in the same namespace
+ * as the policy.
+ *
+ * Each ReferenceGrant can be used to represent a unique trust relationship.
+ * Additional Reference Grants can be used to add to the set of trusted
+ * sources of inbound references for the namespace they are defined within.
+ *
+ * All cross-namespace references in Gateway API (with the exception of cross-namespace
+ * Gateway-route attachment) require a ReferenceGrant.
+ *
+ * ReferenceGrant is a form of runtime verification allowing users to assert
+ * which cross-namespace object references are permitted. Implementations that
+ * support ReferenceGrant MUST NOT permit cross-namespace references which have
+ * no grant, and MUST respond to the removal of a grant by revoking the access
+ * that the grant allowed.
+ */
+export declare class ReferenceGrantPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrantPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ReferenceGrantPatch;
+    /** @internal */
+    static readonly __pulumiType = "kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantPatch";
+    /**
+     * Returns true if the given object is an instance of ReferenceGrantPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is ReferenceGrantPatch;
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    readonly apiVersion: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    readonly kind: pulumi.Output<"ReferenceGrant">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    readonly metadata: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    readonly spec: pulumi.Output<outputs.gateway.v1beta1.ReferenceGrantSpecPatch>;
+    /**
+     * Create a ReferenceGrantPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ReferenceGrantPatchArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * The set of arguments for constructing a ReferenceGrantPatch resource.
+ */
+export interface ReferenceGrantPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ReferenceGrant">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecPatch>;
+}
diff --git a/generated/crds/gateway/v1beta1/referenceGrantPatch.js b/generated/crds/gateway/v1beta1/referenceGrantPatch.js
new file mode 100644
index 0000000..4c1e69c
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrantPatch.js
@@ -0,0 +1,82 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ReferenceGrantPatch = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("../../utilities");
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * ReferenceGrant identifies kinds of resources in other namespaces that are
+ * trusted to reference the specified kinds of resources in the same namespace
+ * as the policy.
+ *
+ * Each ReferenceGrant can be used to represent a unique trust relationship.
+ * Additional Reference Grants can be used to add to the set of trusted
+ * sources of inbound references for the namespace they are defined within.
+ *
+ * All cross-namespace references in Gateway API (with the exception of cross-namespace
+ * Gateway-route attachment) require a ReferenceGrant.
+ *
+ * ReferenceGrant is a form of runtime verification allowing users to assert
+ * which cross-namespace object references are permitted. Implementations that
+ * support ReferenceGrant MUST NOT permit cross-namespace references which have
+ * no grant, and MUST respond to the removal of a grant by revoking the access
+ * that the grant allowed.
+ */
+class ReferenceGrantPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrantPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, opts) {
+        return new ReferenceGrantPatch(name, undefined, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of ReferenceGrantPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ReferenceGrantPatch.__pulumiType;
+    }
+    /**
+     * Create a ReferenceGrantPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "ReferenceGrant";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+        }
+        else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ReferenceGrantPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.ReferenceGrantPatch = ReferenceGrantPatch;
+/** @internal */
+ReferenceGrantPatch.__pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantPatch';
diff --git a/generated/crds/gateway/v1beta1/referenceGrantPatch.ts b/generated/crds/gateway/v1beta1/referenceGrantPatch.ts
new file mode 100644
index 0000000..7ed5db4
--- /dev/null
+++ b/generated/crds/gateway/v1beta1/referenceGrantPatch.ts
@@ -0,0 +1,117 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../../types/input";
+import * as outputs from "../../types/output";
+import * as utilities from "../../utilities";
+
+/**
+ * Patch resources are used to modify existing Kubernetes resources by using
+ * Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+ * one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
+ * Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
+ * [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
+ * additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.
+ * ReferenceGrant identifies kinds of resources in other namespaces that are
+ * trusted to reference the specified kinds of resources in the same namespace
+ * as the policy.
+ *
+ * Each ReferenceGrant can be used to represent a unique trust relationship.
+ * Additional Reference Grants can be used to add to the set of trusted
+ * sources of inbound references for the namespace they are defined within.
+ *
+ * All cross-namespace references in Gateway API (with the exception of cross-namespace
+ * Gateway-route attachment) require a ReferenceGrant.
+ *
+ * ReferenceGrant is a form of runtime verification allowing users to assert
+ * which cross-namespace object references are permitted. Implementations that
+ * support ReferenceGrant MUST NOT permit cross-namespace references which have
+ * no grant, and MUST respond to the removal of a grant by revoking the access
+ * that the grant allowed.
+ */
+export class ReferenceGrantPatch extends pulumi.CustomResource {
+    /**
+     * Get an existing ReferenceGrantPatch resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, opts?: pulumi.CustomResourceOptions): ReferenceGrantPatch {
+        return new ReferenceGrantPatch(name, undefined as any, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'kubernetes:gateway.networking.k8s.io/v1beta1:ReferenceGrantPatch';
+
+    /**
+     * Returns true if the given object is an instance of ReferenceGrantPatch.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ReferenceGrantPatch {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ReferenceGrantPatch.__pulumiType;
+    }
+
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    public readonly apiVersion!: pulumi.Output<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    public readonly kind!: pulumi.Output<"ReferenceGrant">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    public readonly metadata!: pulumi.Output<outputs.meta.v1.ObjectMetaPatch>;
+    public readonly spec!: pulumi.Output<outputs.gateway.v1beta1.ReferenceGrantSpecPatch>;
+
+    /**
+     * Create a ReferenceGrantPatch resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ReferenceGrantPatchArgs, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (!opts.id) {
+            resourceInputs["apiVersion"] = "gateway.networking.k8s.io/v1beta1";
+            resourceInputs["kind"] = "ReferenceGrant";
+            resourceInputs["metadata"] = args ? args.metadata : undefined;
+            resourceInputs["spec"] = args ? args.spec : undefined;
+        } else {
+            resourceInputs["apiVersion"] = undefined /*out*/;
+            resourceInputs["kind"] = undefined /*out*/;
+            resourceInputs["metadata"] = undefined /*out*/;
+            resourceInputs["spec"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ReferenceGrantPatch.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a ReferenceGrantPatch resource.
+ */
+export interface ReferenceGrantPatchArgs {
+    /**
+     * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+     */
+    apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+    /**
+     * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+     */
+    kind?: pulumi.Input<"ReferenceGrant">;
+    /**
+     * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+     */
+    metadata?: pulumi.Input<inputs.meta.v1.ObjectMetaPatch>;
+    spec?: pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecPatch>;
+}
diff --git a/generated/crds/index.d.ts b/generated/crds/index.d.ts
new file mode 100644
index 0000000..7b427eb
--- /dev/null
+++ b/generated/crds/index.d.ts
@@ -0,0 +1,8 @@
+export { ProviderArgs } from "./provider";
+export type Provider = import("./provider").Provider;
+export declare const Provider: typeof import("./provider").Provider;
+import * as acme from "./acme";
+import * as cert_manager from "./cert_manager";
+import * as gateway from "./gateway";
+import * as types from "./types";
+export { acme, cert_manager, gateway, types, };
diff --git a/generated/crds/index.js b/generated/crds/index.js
new file mode 100644
index 0000000..613508e
--- /dev/null
+++ b/generated/crds/index.js
@@ -0,0 +1,27 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.types = exports.gateway = exports.cert_manager = exports.acme = exports.Provider = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("./utilities");
+exports.Provider = null;
+utilities.lazyLoad(exports, ["Provider"], () => require("./provider"));
+// Export sub-modules:
+const acme = require("./acme");
+exports.acme = acme;
+const cert_manager = require("./cert_manager");
+exports.cert_manager = cert_manager;
+const gateway = require("./gateway");
+exports.gateway = gateway;
+const types = require("./types");
+exports.types = types;
+pulumi.runtime.registerResourcePackage("crds", {
+    version: utilities.getVersion(),
+    constructProvider: (name, type, urn) => {
+        if (type !== "pulumi:providers:kubernetes") {
+            throw new Error(`unknown provider type ${type}`);
+        }
+        return new exports.Provider(name, undefined, { urn });
+    },
+});
diff --git a/generated/crds/index.ts b/generated/crds/index.ts
new file mode 100644
index 0000000..b38bb78
--- /dev/null
+++ b/generated/crds/index.ts
@@ -0,0 +1,34 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "./utilities";
+
+// Export members:
+export { ProviderArgs } from "./provider";
+export type Provider = import("./provider").Provider;
+export const Provider: typeof import("./provider").Provider = null as any;
+utilities.lazyLoad(exports, ["Provider"], () => require("./provider"));
+
+
+// Export sub-modules:
+import * as acme from "./acme";
+import * as cert_manager from "./cert_manager";
+import * as gateway from "./gateway";
+import * as types from "./types";
+
+export {
+    acme,
+    cert_manager,
+    gateway,
+    types,
+};
+pulumi.runtime.registerResourcePackage("crds", {
+    version: utilities.getVersion(),
+    constructProvider: (name: string, type: string, urn: string): pulumi.ProviderResource => {
+        if (type !== "pulumi:providers:kubernetes") {
+            throw new Error(`unknown provider type ${type}`);
+        }
+        return new Provider(name, <any>undefined, { urn });
+    },
+});
diff --git a/generated/crds/meta/v1.d.ts b/generated/crds/meta/v1.d.ts
new file mode 100644
index 0000000..9193609
--- /dev/null
+++ b/generated/crds/meta/v1.d.ts
@@ -0,0 +1,3 @@
+import * as k8s from "@pulumi/kubernetes";
+export type ObjectMeta = k8s.types.input.meta.v1.ObjectMeta;
+export type ObjectMetaPatch = k8s.types.input.meta.v1.ObjectMetaPatch;
diff --git a/generated/crds/meta/v1.js b/generated/crds/meta/v1.js
new file mode 100644
index 0000000..c8ad2e5
--- /dev/null
+++ b/generated/crds/meta/v1.js
@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
diff --git a/generated/crds/meta/v1.ts b/generated/crds/meta/v1.ts
new file mode 100644
index 0000000..6de38b6
--- /dev/null
+++ b/generated/crds/meta/v1.ts
@@ -0,0 +1,4 @@
+import * as k8s from "@pulumi/kubernetes";
+
+export type ObjectMeta = k8s.types.input.meta.v1.ObjectMeta;
+export type ObjectMetaPatch = k8s.types.input.meta.v1.ObjectMetaPatch;
diff --git a/generated/crds/package.json b/generated/crds/package.json
new file mode 100644
index 0000000..9448fa7
--- /dev/null
+++ b/generated/crds/package.json
@@ -0,0 +1,32 @@
+{
+  "name": "@pulumi/crds",
+  "version": "0.0.0-dev",
+  "keywords": [
+    "pulumi",
+    "kubernetes",
+    "category/cloud",
+    "kind/native"
+  ],
+  "homepage": "https://pulumi.com",
+  "repository": "https://github.com/pulumi/pulumi-kubernetes",
+  "license": "Apache-2.0",
+  "main": "bin/index.js",
+  "dependencies": {
+    "@pulumi/kubernetes": "4.23.0",
+    "@pulumi/pulumi": "^3.142.0",
+    "glob": "^10.3.10",
+    "shell-quote": "^1.6.1"
+  },
+  "devDependencies": {
+    "@types/mocha": "^5.2.5",
+    "@types/node": "^18",
+    "@types/shell-quote": "^1.6.0",
+    "mocha": "^5.2.0",
+    "typescript": "^4.3.5"
+  },
+  "pulumi": {
+    "resource": true,
+    "name": "crds",
+    "version": "0.0.0-dev"
+  }
+}
\ No newline at end of file
diff --git a/generated/crds/provider.d.ts b/generated/crds/provider.d.ts
new file mode 100644
index 0000000..1e5aa54
--- /dev/null
+++ b/generated/crds/provider.d.ts
@@ -0,0 +1,23 @@
+import * as pulumi from "@pulumi/pulumi";
+export declare class Provider extends pulumi.ProviderResource {
+    /** @internal */
+    static readonly __pulumiType = "crds";
+    /**
+     * Returns true if the given object is an instance of Provider.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is Provider;
+    /**
+     * Create a Provider resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ProviderArgs, opts?: pulumi.ResourceOptions);
+}
+/**
+ * The set of arguments for constructing a Provider resource.
+ */
+export interface ProviderArgs {
+}
diff --git a/generated/crds/provider.js b/generated/crds/provider.js
new file mode 100644
index 0000000..f928a53
--- /dev/null
+++ b/generated/crds/provider.js
@@ -0,0 +1,37 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Provider = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("./utilities");
+class Provider extends pulumi.ProviderResource {
+    /**
+     * Returns true if the given object is an instance of Provider.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === "pulumi:providers:" + Provider.__pulumiType;
+    }
+    /**
+     * Create a Provider resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name, args, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        {
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Provider.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.Provider = Provider;
+/** @internal */
+Provider.__pulumiType = 'crds';
diff --git a/generated/crds/provider.ts b/generated/crds/provider.ts
new file mode 100644
index 0000000..cfebb94
--- /dev/null
+++ b/generated/crds/provider.ts
@@ -0,0 +1,44 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as utilities from "./utilities";
+
+export class Provider extends pulumi.ProviderResource {
+    /** @internal */
+    public static readonly __pulumiType = 'crds';
+
+    /**
+     * Returns true if the given object is an instance of Provider.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is Provider {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === "pulumi:providers:" + Provider.__pulumiType;
+    }
+
+
+    /**
+     * Create a Provider resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args?: ProviderArgs, opts?: pulumi.ResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        {
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(Provider.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * The set of arguments for constructing a Provider resource.
+ */
+export interface ProviderArgs {
+}
diff --git a/generated/crds/scripts/postinstall.js b/generated/crds/scripts/postinstall.js
new file mode 100644
index 0000000..4df2810
--- /dev/null
+++ b/generated/crds/scripts/postinstall.js
@@ -0,0 +1,13 @@
+const fs = require("node:fs");
+const path = require("node:path")
+const process = require("node:process")
+const { execSync } = require('node:child_process');
+try {
+  const out = execSync('tsc')
+  console.log(out.toString())
+} catch (error) {
+  console.error(error.message + ": " + error.stdout.toString() + "\n" + error.stderr.toString())
+  process.exit(1)
+}
+// TypeScript is compiled to "./bin", copy package.json to that directory so it can be read in "getVersion".
+fs.copyFileSync(path.join(__dirname, "..", "package.json"), path.join(__dirname, "..", "bin", "package.json"));
diff --git a/generated/crds/tsconfig.json b/generated/crds/tsconfig.json
new file mode 100644
index 0000000..2b7ba38
--- /dev/null
+++ b/generated/crds/tsconfig.json
@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "es2020",
+    "module": "commonjs",
+    "moduleResolution": "node",
+    "declaration": true,
+    "skipLibCheck": true
+  },
+  "include": [
+    "**/*.ts"
+  ],
+  "exclude": [
+    "node_modules"
+  ]
+}
\ No newline at end of file
diff --git a/generated/crds/types/index.d.ts b/generated/crds/types/index.d.ts
new file mode 100644
index 0000000..81efd51
--- /dev/null
+++ b/generated/crds/types/index.d.ts
@@ -0,0 +1,3 @@
+import * as input from "./input";
+import * as output from "./output";
+export { input, output, };
diff --git a/generated/crds/types/index.js b/generated/crds/types/index.js
new file mode 100644
index 0000000..1086247
--- /dev/null
+++ b/generated/crds/types/index.js
@@ -0,0 +1,10 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.output = exports.input = void 0;
+// Export sub-modules:
+const input = require("./input");
+exports.input = input;
+const output = require("./output");
+exports.output = output;
diff --git a/generated/crds/types/index.ts b/generated/crds/types/index.ts
new file mode 100644
index 0000000..41e116a
--- /dev/null
+++ b/generated/crds/types/index.ts
@@ -0,0 +1,13 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as utilities from "../utilities";
+
+// Export sub-modules:
+import * as input from "./input";
+import * as output from "./output";
+
+export {
+    input,
+    output,
+};
diff --git a/generated/crds/types/input.d.ts b/generated/crds/types/input.d.ts
new file mode 100644
index 0000000..e5cd2e5
--- /dev/null
+++ b/generated/crds/types/input.d.ts
@@ -0,0 +1,48206 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+export declare namespace acme {
+    namespace v1 {
+        /**
+         * Challenge is a type to represent a Challenge request with an ACME server
+         */
+        interface Challenge {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Challenge">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpec>;
+            status?: pulumi.Input<inputs.acme.v1.ChallengeStatus>;
+        }
+        interface ChallengeSpec {
+            /**
+             * The URL to the ACME Authorization resource that this
+             * challenge is a part of.
+             */
+            authorizationURL?: pulumi.Input<string>;
+            /**
+             * dnsName is the identifier that this challenge is for, e.g., example.com.
+             * If the requested DNSName is a 'wildcard', this field MUST be set to the
+             * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
+             */
+            dnsName?: pulumi.Input<string>;
+            issuerRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecIssuerRef>;
+            /**
+             * The ACME challenge key for this challenge
+             * For HTTP01 challenges, this is the value that must be responded with to
+             * complete the HTTP01 challenge in the format:
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`.
+             * For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`
+             * text that must be set as the TXT record content.
+             */
+            key?: pulumi.Input<string>;
+            solver?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolver>;
+            /**
+             * The ACME challenge token for this challenge.
+             * This is the raw value returned from the ACME server.
+             */
+            token?: pulumi.Input<string>;
+            /**
+             * The type of ACME challenge this resource represents.
+             * One of "HTTP-01" or "DNS-01".
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * The URL of the ACME Challenge resource for this challenge.
+             * This can be used to lookup details about the status of this challenge.
+             */
+            url?: pulumi.Input<string>;
+            /**
+             * wildcard will be true if this challenge is for a wildcard identifier,
+             * for example '*.example.com'.
+             */
+            wildcard?: pulumi.Input<boolean>;
+        }
+        /**
+         * References a properly configured ACME-type Issuer which should
+         * be used to create this Challenge.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Challenge will be marked as failed.
+         */
+        interface ChallengeSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * References a properly configured ACME-type Issuer which should
+         * be used to create this Challenge.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Challenge will be marked as failed.
+         */
+        interface ChallengeSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+        interface ChallengeSpecPatch {
+            /**
+             * The URL to the ACME Authorization resource that this
+             * challenge is a part of.
+             */
+            authorizationURL?: pulumi.Input<string>;
+            /**
+             * dnsName is the identifier that this challenge is for, e.g., example.com.
+             * If the requested DNSName is a 'wildcard', this field MUST be set to the
+             * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
+             */
+            dnsName?: pulumi.Input<string>;
+            issuerRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecIssuerRefPatch>;
+            /**
+             * The ACME challenge key for this challenge
+             * For HTTP01 challenges, this is the value that must be responded with to
+             * complete the HTTP01 challenge in the format:
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`.
+             * For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`
+             * text that must be set as the TXT record content.
+             */
+            key?: pulumi.Input<string>;
+            solver?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverPatch>;
+            /**
+             * The ACME challenge token for this challenge.
+             * This is the raw value returned from the ACME server.
+             */
+            token?: pulumi.Input<string>;
+            /**
+             * The type of ACME challenge this resource represents.
+             * One of "HTTP-01" or "DNS-01".
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * The URL of the ACME Challenge resource for this challenge.
+             * This can be used to lookup details about the status of this challenge.
+             */
+            url?: pulumi.Input<string>;
+            /**
+             * wildcard will be true if this challenge is for a wildcard identifier,
+             * for example '*.example.com'.
+             */
+            wildcard?: pulumi.Input<boolean>;
+        }
+        /**
+         * Contains the domain solving configuration that should be used to
+         * solve this challenge resource.
+         */
+        interface ChallengeSpecSolver {
+            dns01?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01>;
+            http01?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01>;
+            selector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverSelector>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface ChallengeSpecSolverDns01 {
+            acmeDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AcmeDNS>;
+            akamai?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Akamai>;
+            azureDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNS>;
+            cloudDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudDNS>;
+            cloudflare?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Cloudflare>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Digitalocean>;
+            rfc2136?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Rfc2136>;
+            route53?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53>;
+            webhook?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Webhook>;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AcmeDNS {
+            accountSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSAccountSecretRef>;
+            host?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AcmeDNSPatch {
+            accountSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSAccountSecretRefPatch>;
+            host?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Akamai {
+            accessTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiAccessTokenSecretRef>;
+            clientSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientSecretSecretRef>;
+            clientTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientTokenSecretRef>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AkamaiPatch {
+            accessTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiAccessTokenSecretRefPatch>;
+            clientSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientSecretSecretRefPatch>;
+            clientTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientTokenSecretRefPatch>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSClientSecretSecretRef>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSManagedIdentity>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSClientSecretSecretRefPatch>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRef>;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRefPatch>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Cloudflare {
+            apiKeySecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiKeySecretRef>;
+            apiTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiTokenSecretRef>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface ChallengeSpecSolverDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface ChallengeSpecSolverDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface ChallengeSpecSolverDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface ChallengeSpecSolverDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01CloudflarePatch {
+            apiKeySecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiKeySecretRefPatch>;
+            apiTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiTokenSecretRefPatch>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Digitalocean {
+            tokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanTokenSecretRef>;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01DigitaloceanPatch {
+            tokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanTokenSecretRefPatch>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface ChallengeSpecSolverDns01Patch {
+            acmeDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSPatch>;
+            akamai?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiPatch>;
+            azureDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSPatch>;
+            cloudDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudDNSPatch>;
+            cloudflare?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflarePatch>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanPatch>;
+            rfc2136?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Rfc2136Patch>;
+            route53?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53Patch>;
+            webhook?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01WebhookPatch>;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRef>;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRefPatch>;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef>;
+            auth?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53Auth>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53SecretAccessKeySecretRef>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface ChallengeSpecSolverDns01Route53Auth {
+            kubernetes?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetes>;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthKubernetes {
+            serviceAccountRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRef>;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthKubernetesPatch {
+            serviceAccountRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRefPatch>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthPatch {
+            kubernetes?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesPatch>;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch>;
+            auth?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthPatch>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53SecretAccessKeySecretRefPatch>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ChallengeSpecSolverDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ChallengeSpecSolverDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{
+                [key: string]: any;
+            }>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{
+                [key: string]: any;
+            }>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface ChallengeSpecSolverHttp01 {
+            gatewayHTTPRoute?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoute>;
+            ingress?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01Ingress>;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs>[]>;
+            podTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch>[]>;
+            podTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls>[]>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface ChallengeSpecSolverHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplate>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01IngressIngressTemplate {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplateMetadata>;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01IngressIngressTemplatePatch {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplateMetadataPatch>;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface ChallengeSpecSolverHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplatePatch>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplate {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpec>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplatePatch {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecPatch>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpec {
+            affinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerations>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinity>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls>[]>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface ChallengeSpecSolverHttp01Patch {
+            gatewayHTTPRoute?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePatch>;
+            ingress?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPatch>;
+        }
+        /**
+         * Contains the domain solving configuration that should be used to
+         * solve this challenge resource.
+         */
+        interface ChallengeSpecSolverPatch {
+            dns01?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Patch>;
+            http01?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01Patch>;
+            selector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverSelectorPatch>;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface ChallengeSpecSolverSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface ChallengeSpecSolverSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        interface ChallengeStatus {
+            /**
+             * presented will be set to true if the challenge values for this challenge
+             * are currently 'presented'.
+             * This *does not* imply the self check is passing. Only that the values
+             * have been 'submitted' for the appropriate challenge mechanism (i.e. the
+             * DNS01 TXT record has been presented, or the HTTP01 configuration has been
+             * configured).
+             */
+            presented?: pulumi.Input<boolean>;
+            /**
+             * Used to denote whether this challenge should be processed or not.
+             * This field will only be set to true by the 'scheduling' component.
+             * It will only be set to false by the 'challenges' controller, after the
+             * challenge has reached a final state or timed out.
+             * If this field is set to false, the challenge controller will not take
+             * any more action.
+             */
+            processing?: pulumi.Input<boolean>;
+            /**
+             * Contains human readable information on why the Challenge is in the
+             * current state.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Contains the current 'state' of the challenge.
+             * If not set, the state of the challenge is unknown.
+             */
+            state?: pulumi.Input<string>;
+        }
+        /**
+         * Order is a type to represent an Order with an ACME server
+         */
+        interface Order {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Order">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.acme.v1.OrderSpec>;
+            status?: pulumi.Input<inputs.acme.v1.OrderStatus>;
+        }
+        interface OrderSpec {
+            /**
+             * CommonName is the common name as specified on the DER encoded CSR.
+             * If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            commonName?: pulumi.Input<string>;
+            /**
+             * DNSNames is a list of DNS names that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Duration is the duration for the not after date for the requested certificate.
+             * this is set on order creation as pe the ACME spec.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * IPAddresses is a list of IP addresses that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            ipAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            issuerRef?: pulumi.Input<inputs.acme.v1.OrderSpecIssuerRef>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Certificate signing request bytes in DER encoding.
+             * This will be used when finalizing the order.
+             * This field must be set on the order.
+             */
+            request?: pulumi.Input<string>;
+        }
+        /**
+         * IssuerRef references a properly configured ACME-type Issuer which should
+         * be used to create this Order.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Order will be marked as failed.
+         */
+        interface OrderSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * IssuerRef references a properly configured ACME-type Issuer which should
+         * be used to create this Order.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Order will be marked as failed.
+         */
+        interface OrderSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+        interface OrderSpecPatch {
+            /**
+             * CommonName is the common name as specified on the DER encoded CSR.
+             * If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            commonName?: pulumi.Input<string>;
+            /**
+             * DNSNames is a list of DNS names that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Duration is the duration for the not after date for the requested certificate.
+             * this is set on order creation as pe the ACME spec.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * IPAddresses is a list of IP addresses that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            ipAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            issuerRef?: pulumi.Input<inputs.acme.v1.OrderSpecIssuerRefPatch>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Certificate signing request bytes in DER encoding.
+             * This will be used when finalizing the order.
+             * This field must be set on the order.
+             */
+            request?: pulumi.Input<string>;
+        }
+        interface OrderStatus {
+            /**
+             * Authorizations contains data returned from the ACME server on what
+             * authorizations must be completed in order to validate the DNS names
+             * specified on the Order.
+             */
+            authorizations?: pulumi.Input<pulumi.Input<inputs.acme.v1.OrderStatusAuthorizations>[]>;
+            /**
+             * Certificate is a copy of the PEM encoded certificate for this Order.
+             * This field will be populated after the order has been successfully
+             * finalized with the ACME server, and the order has transitioned to the
+             * 'valid' state.
+             */
+            certificate?: pulumi.Input<string>;
+            /**
+             * FailureTime stores the time that this order failed.
+             * This is used to influence garbage collection and back-off.
+             */
+            failureTime?: pulumi.Input<string>;
+            /**
+             * FinalizeURL of the Order.
+             * This is used to obtain certificates for this order once it has been completed.
+             */
+            finalizeURL?: pulumi.Input<string>;
+            /**
+             * Reason optionally provides more information about a why the order is in
+             * the current state.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * State contains the current state of this Order resource.
+             * States 'success' and 'expired' are 'final'
+             */
+            state?: pulumi.Input<string>;
+            /**
+             * URL of the Order.
+             * This will initially be empty when the resource is first created.
+             * The Order controller will populate this field when the Order is first processed.
+             * This field will be immutable after it is initially set.
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * ACMEAuthorization contains data returned from the ACME server on an
+         * authorization that must be completed in order validate a DNS name on an ACME
+         * Order resource.
+         */
+        interface OrderStatusAuthorizations {
+            /**
+             * Challenges specifies the challenge types offered by the ACME server.
+             * One of these challenge types will be selected when validating the DNS
+             * name and an appropriate Challenge resource will be created to perform
+             * the ACME challenge process.
+             */
+            challenges?: pulumi.Input<pulumi.Input<inputs.acme.v1.OrderStatusAuthorizationsChallenges>[]>;
+            /**
+             * Identifier is the DNS name to be validated as part of this authorization
+             */
+            identifier?: pulumi.Input<string>;
+            /**
+             * InitialState is the initial state of the ACME authorization when first
+             * fetched from the ACME server.
+             * If an Authorization is already 'valid', the Order controller will not
+             * create a Challenge resource for the authorization. This will occur when
+             * working with an ACME server that enables 'authz reuse' (such as Let's
+             * Encrypt's production endpoint).
+             * If not set and 'identifier' is set, the state is assumed to be pending
+             * and a Challenge will be created.
+             */
+            initialState?: pulumi.Input<string>;
+            /**
+             * URL is the URL of the Authorization that must be completed
+             */
+            url?: pulumi.Input<string>;
+            /**
+             * Wildcard will be true if this authorization is for a wildcard DNS name.
+             * If this is true, the identifier will be the *non-wildcard* version of
+             * the DNS name.
+             * For example, if '*.example.com' is the DNS name being validated, this
+             * field will be 'true' and the 'identifier' field will be 'example.com'.
+             */
+            wildcard?: pulumi.Input<boolean>;
+        }
+        /**
+         * Challenge specifies a challenge offered by the ACME server for an Order.
+         * An appropriate Challenge resource can be created to perform the ACME
+         * challenge process.
+         */
+        interface OrderStatusAuthorizationsChallenges {
+            /**
+             * Token is the token that must be presented for this challenge.
+             * This is used to compute the 'key' that must also be presented.
+             */
+            token?: pulumi.Input<string>;
+            /**
+             * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01',
+             * 'tls-sni-01', etc.
+             * This is the raw value retrieved from the ACME server.
+             * Only 'http-01' and 'dns-01' are supported by cert-manager, other values
+             * will be ignored.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URL is the URL of this challenge. It can be used to retrieve additional
+             * metadata about the Challenge from the ACME server.
+             */
+            url?: pulumi.Input<string>;
+        }
+    }
+}
+export declare namespace cert_manager {
+    namespace v1 {
+        /**
+         * A Certificate resource should be created to ensure an up to date and signed
+         * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+         *
+         * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+         */
+        interface Certificate {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Certificate">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.CertificateSpec>;
+            status?: pulumi.Input<inputs.cert_manager.v1.CertificateStatus>;
+        }
+        /**
+         * A CertificateRequest is used to request a signed certificate from one of the
+         * configured issuers.
+         *
+         * All fields within the CertificateRequest's `spec` are immutable after creation.
+         * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+         * condition and its `status.failureTime` field.
+         *
+         * A CertificateRequest is a one-shot resource, meaning it represents a single
+         * point in time request for a certificate and cannot be re-used.
+         */
+        interface CertificateRequest {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"CertificateRequest">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpec>;
+            status?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestStatus>;
+        }
+        /**
+         * Specification of the desired state of the CertificateRequest resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateRequestSpec {
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * Extra contains extra attributes of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            extra?: pulumi.Input<{
+                [key: string]: pulumi.Input<pulumi.Input<string>[]>;
+            }>;
+            /**
+             * Groups contains group membership of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            groups?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested basic constraints isCA value. Note that the issuer may choose
+             * to ignore the requested isCA value, just like any other requested attribute.
+             *
+             * NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+             * it must have the same isCA value as specified here.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA?: pulumi.Input<boolean>;
+            issuerRef?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpecIssuerRef>;
+            /**
+             * The PEM-encoded X.509 certificate signing request to be submitted to the
+             * issuer for signing.
+             *
+             * If the CSR has a BasicConstraints extension, its isCA attribute must
+             * match the `isCA` value of this CertificateRequest.
+             * If the CSR has a KeyUsage extension, its key usages must match the
+             * key usages in the `usages` field of this CertificateRequest.
+             * If the CSR has a ExtKeyUsage extension, its extended key usages
+             * must match the extended key usages in the `usages` field of this
+             * CertificateRequest.
+             */
+            request?: pulumi.Input<string>;
+            /**
+             * UID contains the uid of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            uid?: pulumi.Input<string>;
+            /**
+             * Requested key usages and extended key usages.
+             *
+             * NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+             * ExtKeyUsage extension, these extensions must have the same values
+             * as specified here without any additional values.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Username contains the name of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            username?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        interface CertificateRequestSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        interface CertificateRequestSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Specification of the desired state of the CertificateRequest resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateRequestSpecPatch {
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * Extra contains extra attributes of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            extra?: pulumi.Input<{
+                [key: string]: pulumi.Input<pulumi.Input<string>[]>;
+            }>;
+            /**
+             * Groups contains group membership of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            groups?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested basic constraints isCA value. Note that the issuer may choose
+             * to ignore the requested isCA value, just like any other requested attribute.
+             *
+             * NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+             * it must have the same isCA value as specified here.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA?: pulumi.Input<boolean>;
+            issuerRef?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpecIssuerRefPatch>;
+            /**
+             * The PEM-encoded X.509 certificate signing request to be submitted to the
+             * issuer for signing.
+             *
+             * If the CSR has a BasicConstraints extension, its isCA attribute must
+             * match the `isCA` value of this CertificateRequest.
+             * If the CSR has a KeyUsage extension, its key usages must match the
+             * key usages in the `usages` field of this CertificateRequest.
+             * If the CSR has a ExtKeyUsage extension, its extended key usages
+             * must match the extended key usages in the `usages` field of this
+             * CertificateRequest.
+             */
+            request?: pulumi.Input<string>;
+            /**
+             * UID contains the uid of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            uid?: pulumi.Input<string>;
+            /**
+             * Requested key usages and extended key usages.
+             *
+             * NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+             * ExtKeyUsage extension, these extensions must have the same values
+             * as specified here without any additional values.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Username contains the name of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            username?: pulumi.Input<string>;
+        }
+        /**
+         * Status of the CertificateRequest.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateRequestStatus {
+            /**
+             * The PEM encoded X.509 certificate of the signer, also known as the CA
+             * (Certificate Authority).
+             * This is set on a best-effort basis by different issuers.
+             * If not set, the CA is assumed to be unknown/not available.
+             */
+            ca?: pulumi.Input<string>;
+            /**
+             * The PEM encoded X.509 certificate resulting from the certificate
+             * signing request.
+             * If not set, the CertificateRequest has either not been completed or has
+             * failed. More information on failure can be found by checking the
+             * `conditions` field.
+             */
+            certificate?: pulumi.Input<string>;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateRequestStatusConditions>[]>;
+            /**
+             * FailureTime stores the time that this CertificateRequest failed. This is
+             * used to influence garbage collection and back-off.
+             */
+            failureTime?: pulumi.Input<string>;
+        }
+        /**
+         * CertificateRequestCondition contains condition information for a CertificateRequest.
+         */
+        interface CertificateRequestStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * Type of the condition, known values are (`Ready`, `InvalidRequest`,
+             * `Approved`, `Denied`).
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Specification of the desired state of the Certificate resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateSpec {
+            /**
+             * Defines extra output formats of the private key and signed certificate chain
+             * to be written to this Certificate's target Secret.
+             */
+            additionalOutputFormats?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateSpecAdditionalOutputFormats>[]>;
+            /**
+             * Requested common name X509 certificate subject attribute.
+             * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+             * NOTE: TLS clients will ignore this value when any subject alternative name is
+             * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+             *
+             * Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+             * Cannot be set if the `literalSubject` field is set.
+             */
+            commonName?: pulumi.Input<string>;
+            /**
+             * Requested DNS subject alternative names.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             *
+             * If unset, this defaults to 90 days.
+             * Minimum accepted duration is 1 hour.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * Requested email subject alternative names.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+             *
+             * This option defaults to true, and should only be disabled if the target
+             * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+             */
+            encodeUsagesInRequest?: pulumi.Input<boolean>;
+            /**
+             * Requested IP address subject alternative names.
+             */
+            ipAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested basic constraints isCA value.
+             * The isCA value is used to set the `isCA` field on the created CertificateRequest
+             * resources. Note that the issuer may choose to ignore the requested isCA value, just
+             * like any other requested attribute.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA?: pulumi.Input<boolean>;
+            issuerRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecIssuerRef>;
+            keystores?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystores>;
+            /**
+             * Requested X.509 certificate subject, represented using the LDAP "String
+             * Representation of a Distinguished Name" [1].
+             * Important: the LDAP string format also specifies the order of the attributes
+             * in the subject, this is important when issuing certs for LDAP authentication.
+             * Example: `CN=foo,DC=corp,DC=example,DC=com`
+             * More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+             * More info: https://github.com/cert-manager/cert-manager/issues/3203
+             * More info: https://github.com/cert-manager/cert-manager/issues/4424
+             *
+             * Cannot be set if the `subject` or `commonName` field is set.
+             */
+            literalSubject?: pulumi.Input<string>;
+            nameConstraints?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraints>;
+            /**
+             * `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+             * Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+             * Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+             * You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+             */
+            otherNames?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateSpecOtherNames>[]>;
+            privateKey?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecPrivateKey>;
+            /**
+             * How long before the currently issued certificate's expiry cert-manager should
+             * renew the certificate. For example, if a certificate is valid for 60 minutes,
+             * and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+             * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+             * the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * If unset, this defaults to 1/3 of the issued certificate's lifetime.
+             * Minimum accepted value is 5 minutes.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             * Cannot be set if the `renewBeforePercentage` field is set.
+             */
+            renewBefore?: pulumi.Input<string>;
+            /**
+             * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+             * rather than an absolute duration. For example, if a certificate is valid for 60
+             * minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+             * renew the certificate 45 minutes after it was issued (i.e. when there are 15
+             * minutes (25%) remaining until the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * Value must be an integer in the range (0,100). The minimum effective
+             * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+             * minutes.
+             * Cannot be set if the `renewBefore` field is set.
+             */
+            renewBeforePercentage?: pulumi.Input<number>;
+            /**
+             * The maximum number of CertificateRequest revisions that are maintained in
+             * the Certificate's history. Each revision represents a single `CertificateRequest`
+             * created by this Certificate, either when it was created, renewed, or Spec
+             * was changed. Revisions will be removed by oldest first if the number of
+             * revisions exceeds this number.
+             *
+             * If set, revisionHistoryLimit must be a value of `1` or greater.
+             * Default value is `1`.
+             */
+            revisionHistoryLimit?: pulumi.Input<number>;
+            /**
+             * Name of the Secret resource that will be automatically created and
+             * managed by this Certificate resource. It will be populated with a
+             * private key and certificate, signed by the denoted issuer. The Secret
+             * resource lives in the same namespace as the Certificate resource.
+             */
+            secretName?: pulumi.Input<string>;
+            secretTemplate?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecSecretTemplate>;
+            /**
+             * Signature algorithm to use.
+             * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+             * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+             * Allowed values for Ed25519 keys: PureEd25519.
+             */
+            signatureAlgorithm?: pulumi.Input<string>;
+            subject?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecSubject>;
+            /**
+             * Requested URI subject alternative names.
+             */
+            uris?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested key usages and extended key usages.
+             * These usages are used to set the `usages` field on the created CertificateRequest
+             * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+             * will additionally be encoded in the `request` field which contains the CSR blob.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * CertificateAdditionalOutputFormat defines an additional output format of a
+         * Certificate resource. These contain supplementary data formats of the signed
+         * certificate chain and paired private key.
+         */
+        interface CertificateSpecAdditionalOutputFormats {
+            /**
+             * Type is the name of the format type that should be written to the
+             * Certificate's target Secret.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * CertificateAdditionalOutputFormat defines an additional output format of a
+         * Certificate resource. These contain supplementary data formats of the signed
+         * certificate chain and paired private key.
+         */
+        interface CertificateSpecAdditionalOutputFormatsPatch {
+            /**
+             * Type is the name of the format type that should be written to the
+             * Certificate's target Secret.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        interface CertificateSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        interface CertificateSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Additional keystore output formats to be stored in the Certificate's Secret.
+         */
+        interface CertificateSpecKeystores {
+            jks?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresJks>;
+            pkcs12?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPkcs12>;
+        }
+        /**
+         * JKS configures options for storing a JKS keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        interface CertificateSpecKeystoresJks {
+            /**
+             * Alias specifies the alias of the key in the keystore, required by the JKS format.
+             * If not provided, the default alias `certificate` will be used.
+             */
+            alias?: pulumi.Input<string>;
+            /**
+             * Create enables JKS keystore creation for the Certificate.
+             * If true, a file named `keystore.jks` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.jks`
+             * will also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef`
+             * containing the issuing Certificate Authority
+             */
+            create?: pulumi.Input<boolean>;
+            /**
+             * Password provides a literal password used to encrypt the JKS keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password?: pulumi.Input<string>;
+            passwordSecretRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRef>;
+        }
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the JKS keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        interface CertificateSpecKeystoresJksPasswordSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the JKS keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        interface CertificateSpecKeystoresJksPasswordSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * JKS configures options for storing a JKS keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        interface CertificateSpecKeystoresJksPatch {
+            /**
+             * Alias specifies the alias of the key in the keystore, required by the JKS format.
+             * If not provided, the default alias `certificate` will be used.
+             */
+            alias?: pulumi.Input<string>;
+            /**
+             * Create enables JKS keystore creation for the Certificate.
+             * If true, a file named `keystore.jks` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.jks`
+             * will also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef`
+             * containing the issuing Certificate Authority
+             */
+            create?: pulumi.Input<boolean>;
+            /**
+             * Password provides a literal password used to encrypt the JKS keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password?: pulumi.Input<string>;
+            passwordSecretRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRefPatch>;
+        }
+        /**
+         * Additional keystore output formats to be stored in the Certificate's Secret.
+         */
+        interface CertificateSpecKeystoresPatch {
+            jks?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresJksPatch>;
+            pkcs12?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPkcs12Patch>;
+        }
+        /**
+         * PKCS12 configures options for storing a PKCS12 keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        interface CertificateSpecKeystoresPkcs12 {
+            /**
+             * Create enables PKCS12 keystore creation for the Certificate.
+             * If true, a file named `keystore.p12` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or in `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.p12` will
+             * also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef` containing the issuing Certificate
+             * Authority
+             */
+            create?: pulumi.Input<boolean>;
+            /**
+             * Password provides a literal password used to encrypt the PKCS#12 keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password?: pulumi.Input<string>;
+            passwordSecretRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRef>;
+            /**
+             * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+             * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+             *
+             * If provided, allowed values are:
+             * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+             * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+             * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+             * (e.g., because of company policy). Please note that the security of the algorithm is not that important
+             * in reality, because the unencrypted certificate and private key are also stored in the Secret.
+             */
+            profile?: pulumi.Input<string>;
+        }
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the PKCS#12 keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        interface CertificateSpecKeystoresPkcs12PasswordSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the PKCS#12 keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        interface CertificateSpecKeystoresPkcs12PasswordSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PKCS12 configures options for storing a PKCS12 keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        interface CertificateSpecKeystoresPkcs12Patch {
+            /**
+             * Create enables PKCS12 keystore creation for the Certificate.
+             * If true, a file named `keystore.p12` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or in `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.p12` will
+             * also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef` containing the issuing Certificate
+             * Authority
+             */
+            create?: pulumi.Input<boolean>;
+            /**
+             * Password provides a literal password used to encrypt the PKCS#12 keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password?: pulumi.Input<string>;
+            passwordSecretRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRefPatch>;
+            /**
+             * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+             * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+             *
+             * If provided, allowed values are:
+             * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+             * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+             * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+             * (e.g., because of company policy). Please note that the security of the algorithm is not that important
+             * in reality, because the unencrypted certificate and private key are also stored in the Secret.
+             */
+            profile?: pulumi.Input<string>;
+        }
+        /**
+         * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+         * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+         *
+         * This is an Alpha Feature and is only enabled with the
+         * `--feature-gates=NameConstraints=true` option set on both
+         * the controller and webhook components.
+         */
+        interface CertificateSpecNameConstraints {
+            /**
+             * if true then the name constraints are marked critical.
+             */
+            critical?: pulumi.Input<boolean>;
+            excluded?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsExcluded>;
+            permitted?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsPermitted>;
+        }
+        /**
+         * Excluded contains the constraints which must be disallowed. Any name matching a
+         * restriction in the excluded field is invalid regardless
+         * of information appearing in the permitted
+         */
+        interface CertificateSpecNameConstraintsExcluded {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Excluded contains the constraints which must be disallowed. Any name matching a
+         * restriction in the excluded field is invalid regardless
+         * of information appearing in the permitted
+         */
+        interface CertificateSpecNameConstraintsExcludedPatch {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+         * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+         *
+         * This is an Alpha Feature and is only enabled with the
+         * `--feature-gates=NameConstraints=true` option set on both
+         * the controller and webhook components.
+         */
+        interface CertificateSpecNameConstraintsPatch {
+            /**
+             * if true then the name constraints are marked critical.
+             */
+            critical?: pulumi.Input<boolean>;
+            excluded?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsExcludedPatch>;
+            permitted?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsPermittedPatch>;
+        }
+        /**
+         * Permitted contains the constraints in which the names must be located.
+         */
+        interface CertificateSpecNameConstraintsPermitted {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Permitted contains the constraints in which the names must be located.
+         */
+        interface CertificateSpecNameConstraintsPermittedPatch {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        interface CertificateSpecOtherNames {
+            /**
+             * OID is the object identifier for the otherName SAN.
+             * The object identifier must be expressed as a dotted string, for
+             * example, "1.2.840.113556.1.4.221".
+             */
+            oid?: pulumi.Input<string>;
+            /**
+             * utf8Value is the string value of the otherName SAN.
+             * The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+             */
+            utf8Value?: pulumi.Input<string>;
+        }
+        interface CertificateSpecOtherNamesPatch {
+            /**
+             * OID is the object identifier for the otherName SAN.
+             * The object identifier must be expressed as a dotted string, for
+             * example, "1.2.840.113556.1.4.221".
+             */
+            oid?: pulumi.Input<string>;
+            /**
+             * utf8Value is the string value of the otherName SAN.
+             * The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+             */
+            utf8Value?: pulumi.Input<string>;
+        }
+        /**
+         * Specification of the desired state of the Certificate resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateSpecPatch {
+            /**
+             * Defines extra output formats of the private key and signed certificate chain
+             * to be written to this Certificate's target Secret.
+             */
+            additionalOutputFormats?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateSpecAdditionalOutputFormatsPatch>[]>;
+            /**
+             * Requested common name X509 certificate subject attribute.
+             * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+             * NOTE: TLS clients will ignore this value when any subject alternative name is
+             * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+             *
+             * Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+             * Cannot be set if the `literalSubject` field is set.
+             */
+            commonName?: pulumi.Input<string>;
+            /**
+             * Requested DNS subject alternative names.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             *
+             * If unset, this defaults to 90 days.
+             * Minimum accepted duration is 1 hour.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * Requested email subject alternative names.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+             *
+             * This option defaults to true, and should only be disabled if the target
+             * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+             */
+            encodeUsagesInRequest?: pulumi.Input<boolean>;
+            /**
+             * Requested IP address subject alternative names.
+             */
+            ipAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested basic constraints isCA value.
+             * The isCA value is used to set the `isCA` field on the created CertificateRequest
+             * resources. Note that the issuer may choose to ignore the requested isCA value, just
+             * like any other requested attribute.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA?: pulumi.Input<boolean>;
+            issuerRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecIssuerRefPatch>;
+            keystores?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPatch>;
+            /**
+             * Requested X.509 certificate subject, represented using the LDAP "String
+             * Representation of a Distinguished Name" [1].
+             * Important: the LDAP string format also specifies the order of the attributes
+             * in the subject, this is important when issuing certs for LDAP authentication.
+             * Example: `CN=foo,DC=corp,DC=example,DC=com`
+             * More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+             * More info: https://github.com/cert-manager/cert-manager/issues/3203
+             * More info: https://github.com/cert-manager/cert-manager/issues/4424
+             *
+             * Cannot be set if the `subject` or `commonName` field is set.
+             */
+            literalSubject?: pulumi.Input<string>;
+            nameConstraints?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsPatch>;
+            /**
+             * `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+             * Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+             * Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+             * You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+             */
+            otherNames?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateSpecOtherNamesPatch>[]>;
+            privateKey?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecPrivateKeyPatch>;
+            /**
+             * How long before the currently issued certificate's expiry cert-manager should
+             * renew the certificate. For example, if a certificate is valid for 60 minutes,
+             * and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+             * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+             * the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * If unset, this defaults to 1/3 of the issued certificate's lifetime.
+             * Minimum accepted value is 5 minutes.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             * Cannot be set if the `renewBeforePercentage` field is set.
+             */
+            renewBefore?: pulumi.Input<string>;
+            /**
+             * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+             * rather than an absolute duration. For example, if a certificate is valid for 60
+             * minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+             * renew the certificate 45 minutes after it was issued (i.e. when there are 15
+             * minutes (25%) remaining until the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * Value must be an integer in the range (0,100). The minimum effective
+             * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+             * minutes.
+             * Cannot be set if the `renewBefore` field is set.
+             */
+            renewBeforePercentage?: pulumi.Input<number>;
+            /**
+             * The maximum number of CertificateRequest revisions that are maintained in
+             * the Certificate's history. Each revision represents a single `CertificateRequest`
+             * created by this Certificate, either when it was created, renewed, or Spec
+             * was changed. Revisions will be removed by oldest first if the number of
+             * revisions exceeds this number.
+             *
+             * If set, revisionHistoryLimit must be a value of `1` or greater.
+             * Default value is `1`.
+             */
+            revisionHistoryLimit?: pulumi.Input<number>;
+            /**
+             * Name of the Secret resource that will be automatically created and
+             * managed by this Certificate resource. It will be populated with a
+             * private key and certificate, signed by the denoted issuer. The Secret
+             * resource lives in the same namespace as the Certificate resource.
+             */
+            secretName?: pulumi.Input<string>;
+            secretTemplate?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecSecretTemplatePatch>;
+            /**
+             * Signature algorithm to use.
+             * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+             * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+             * Allowed values for Ed25519 keys: PureEd25519.
+             */
+            signatureAlgorithm?: pulumi.Input<string>;
+            subject?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecSubjectPatch>;
+            /**
+             * Requested URI subject alternative names.
+             */
+            uris?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested key usages and extended key usages.
+             * These usages are used to set the `usages` field on the created CertificateRequest
+             * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+             * will additionally be encoded in the `request` field which contains the CSR blob.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Private key options. These include the key algorithm and size, the used
+         * encoding and the rotation policy.
+         */
+        interface CertificateSpecPrivateKey {
+            /**
+             * Algorithm is the private key algorithm of the corresponding private key
+             * for this certificate.
+             *
+             * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+             * If `algorithm` is specified and `size` is not provided,
+             * key size of 2048 will be used for `RSA` key algorithm and
+             * key size of 256 will be used for `ECDSA` key algorithm.
+             * key size is ignored when using the `Ed25519` key algorithm.
+             */
+            algorithm?: pulumi.Input<string>;
+            /**
+             * The private key cryptography standards (PKCS) encoding for this
+             * certificate's private key to be encoded in.
+             *
+             * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+             * and PKCS#8, respectively.
+             * Defaults to `PKCS1` if not specified.
+             */
+            encoding?: pulumi.Input<string>;
+            /**
+             * RotationPolicy controls how private keys should be regenerated when a
+             * re-issuance is being processed.
+             *
+             * If set to `Never`, a private key will only be generated if one does not
+             * already exist in the target `spec.secretName`. If one does exist but it
+             * does not have the correct algorithm or size, a warning will be raised
+             * to await user intervention.
+             * If set to `Always`, a private key matching the specified requirements
+             * will be generated whenever a re-issuance occurs.
+             * Default is `Always`.
+             * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+             * The new default can be disabled by setting the
+             * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+             * the controller component.
+             */
+            rotationPolicy?: pulumi.Input<string>;
+            /**
+             * Size is the key bit size of the corresponding private key for this certificate.
+             *
+             * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+             * and will default to `2048` if not specified.
+             * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+             * and will default to `256` if not specified.
+             * If `algorithm` is set to `Ed25519`, Size is ignored.
+             * No other values are allowed.
+             */
+            size?: pulumi.Input<number>;
+        }
+        /**
+         * Private key options. These include the key algorithm and size, the used
+         * encoding and the rotation policy.
+         */
+        interface CertificateSpecPrivateKeyPatch {
+            /**
+             * Algorithm is the private key algorithm of the corresponding private key
+             * for this certificate.
+             *
+             * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+             * If `algorithm` is specified and `size` is not provided,
+             * key size of 2048 will be used for `RSA` key algorithm and
+             * key size of 256 will be used for `ECDSA` key algorithm.
+             * key size is ignored when using the `Ed25519` key algorithm.
+             */
+            algorithm?: pulumi.Input<string>;
+            /**
+             * The private key cryptography standards (PKCS) encoding for this
+             * certificate's private key to be encoded in.
+             *
+             * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+             * and PKCS#8, respectively.
+             * Defaults to `PKCS1` if not specified.
+             */
+            encoding?: pulumi.Input<string>;
+            /**
+             * RotationPolicy controls how private keys should be regenerated when a
+             * re-issuance is being processed.
+             *
+             * If set to `Never`, a private key will only be generated if one does not
+             * already exist in the target `spec.secretName`. If one does exist but it
+             * does not have the correct algorithm or size, a warning will be raised
+             * to await user intervention.
+             * If set to `Always`, a private key matching the specified requirements
+             * will be generated whenever a re-issuance occurs.
+             * Default is `Always`.
+             * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+             * The new default can be disabled by setting the
+             * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+             * the controller component.
+             */
+            rotationPolicy?: pulumi.Input<string>;
+            /**
+             * Size is the key bit size of the corresponding private key for this certificate.
+             *
+             * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+             * and will default to `2048` if not specified.
+             * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+             * and will default to `256` if not specified.
+             * If `algorithm` is set to `Ed25519`, Size is ignored.
+             * No other values are allowed.
+             */
+            size?: pulumi.Input<number>;
+        }
+        /**
+         * Defines annotations and labels to be copied to the Certificate's Secret.
+         * Labels and annotations on the Secret will be changed as they appear on the
+         * SecretTemplate when added or removed. SecretTemplate annotations are added
+         * in conjunction with, and cannot overwrite, the base set of annotations
+         * cert-manager sets on the Certificate's Secret.
+         */
+        interface CertificateSpecSecretTemplate {
+            /**
+             * Annotations is a key value map to be copied to the target Kubernetes Secret.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels is a key value map to be copied to the target Kubernetes Secret.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines annotations and labels to be copied to the Certificate's Secret.
+         * Labels and annotations on the Secret will be changed as they appear on the
+         * SecretTemplate when added or removed. SecretTemplate annotations are added
+         * in conjunction with, and cannot overwrite, the base set of annotations
+         * cert-manager sets on the Certificate's Secret.
+         */
+        interface CertificateSpecSecretTemplatePatch {
+            /**
+             * Annotations is a key value map to be copied to the target Kubernetes Secret.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels is a key value map to be copied to the target Kubernetes Secret.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Requested set of X509 certificate subject attributes.
+         * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+         *
+         * The common name attribute is specified separately in the `commonName` field.
+         * Cannot be set if the `literalSubject` field is set.
+         */
+        interface CertificateSpecSubject {
+            /**
+             * Countries to be used on the Certificate.
+             */
+            countries?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Cities to be used on the Certificate.
+             */
+            localities?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Organizational Units to be used on the Certificate.
+             */
+            organizationalUnits?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Organizations to be used on the Certificate.
+             */
+            organizations?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Postal codes to be used on the Certificate.
+             */
+            postalCodes?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * State/Provinces to be used on the Certificate.
+             */
+            provinces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Serial number to be used on the Certificate.
+             */
+            serialNumber?: pulumi.Input<string>;
+            /**
+             * Street addresses to be used on the Certificate.
+             */
+            streetAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Requested set of X509 certificate subject attributes.
+         * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+         *
+         * The common name attribute is specified separately in the `commonName` field.
+         * Cannot be set if the `literalSubject` field is set.
+         */
+        interface CertificateSpecSubjectPatch {
+            /**
+             * Countries to be used on the Certificate.
+             */
+            countries?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Cities to be used on the Certificate.
+             */
+            localities?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Organizational Units to be used on the Certificate.
+             */
+            organizationalUnits?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Organizations to be used on the Certificate.
+             */
+            organizations?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Postal codes to be used on the Certificate.
+             */
+            postalCodes?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * State/Provinces to be used on the Certificate.
+             */
+            provinces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Serial number to be used on the Certificate.
+             */
+            serialNumber?: pulumi.Input<string>;
+            /**
+             * Street addresses to be used on the Certificate.
+             */
+            streetAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Status of the Certificate.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateStatus {
+            /**
+             * List of status conditions to indicate the status of certificates.
+             * Known condition types are `Ready` and `Issuing`.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateStatusConditions>[]>;
+            /**
+             * The number of continuous failed issuance attempts up till now. This
+             * field gets removed (if set) on a successful issuance and gets set to
+             * 1 if unset and an issuance has failed. If an issuance has failed, the
+             * delay till the next issuance will be calculated using formula
+             * time.Hour * 2 ^ (failedIssuanceAttempts - 1).
+             */
+            failedIssuanceAttempts?: pulumi.Input<number>;
+            /**
+             * LastFailureTime is set only if the latest issuance for this
+             * Certificate failed and contains the time of the failure. If an
+             * issuance has failed, the delay till the next issuance will be
+             * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
+             * 1). If the latest issuance has succeeded this field will be unset.
+             */
+            lastFailureTime?: pulumi.Input<string>;
+            /**
+             * The name of the Secret resource containing the private key to be used
+             * for the next certificate iteration.
+             * The keymanager controller will automatically set this field if the
+             * `Issuing` condition is set to `True`.
+             * It will automatically unset this field when the Issuing condition is
+             * not set or False.
+             */
+            nextPrivateKeySecretName?: pulumi.Input<string>;
+            /**
+             * The expiration time of the certificate stored in the secret named
+             * by this resource in `spec.secretName`.
+             */
+            notAfter?: pulumi.Input<string>;
+            /**
+             * The time after which the certificate stored in the secret named
+             * by this resource in `spec.secretName` is valid.
+             */
+            notBefore?: pulumi.Input<string>;
+            /**
+             * RenewalTime is the time at which the certificate will be next
+             * renewed.
+             * If not set, no upcoming renewal is scheduled.
+             */
+            renewalTime?: pulumi.Input<string>;
+            /**
+             * The current 'revision' of the certificate as issued.
+             *
+             * When a CertificateRequest resource is created, it will have the
+             * `cert-manager.io/certificate-revision` set to one greater than the
+             * current value of this field.
+             *
+             * Upon issuance, this field will be set to the value of the annotation
+             * on the CertificateRequest resource used to issue the certificate.
+             *
+             * Persisting the value on the CertificateRequest resource allows the
+             * certificates controller to know whether a request is part of an old
+             * issuance or if it is part of the ongoing revision's issuance by
+             * checking if the revision value in the annotation is greater than this
+             * field.
+             */
+            revision?: pulumi.Input<number>;
+        }
+        /**
+         * CertificateCondition contains condition information for a Certificate.
+         */
+        interface CertificateStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Certificate.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * Type of the condition, known values are (`Ready`, `Issuing`).
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * A ClusterIssuer represents a certificate issuing authority which can be
+         * referenced as part of `issuerRef` fields.
+         * It is similar to an Issuer, however it is cluster-scoped and therefore can
+         * be referenced by resources that exist in *any* namespace, not just the same
+         * namespace as the referent.
+         */
+        interface ClusterIssuer {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"ClusterIssuer">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpec>;
+            status?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerStatus>;
+        }
+        /**
+         * Desired state of the ClusterIssuer resource.
+         */
+        interface ClusterIssuerSpec {
+            acme?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcme>;
+            ca?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecCa>;
+            selfSigned?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecSelfSigned>;
+            vault?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVault>;
+            venafi?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafi>;
+        }
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        interface ClusterIssuerSpecAcme {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration?: pulumi.Input<boolean>;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email?: pulumi.Input<string>;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature?: pulumi.Input<boolean>;
+            externalAccountBinding?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBinding>;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain?: pulumi.Input<string>;
+            privateKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRef>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify?: pulumi.Input<boolean>;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolvers>[]>;
+        }
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        interface ClusterIssuerSpecAcmeExternalAccountBinding {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm?: pulumi.Input<string>;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID?: pulumi.Input<string>;
+            keySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRef>;
+        }
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        interface ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        interface ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        interface ClusterIssuerSpecAcmeExternalAccountBindingPatch {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm?: pulumi.Input<string>;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID?: pulumi.Input<string>;
+            keySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRefPatch>;
+        }
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        interface ClusterIssuerSpecAcmePatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration?: pulumi.Input<boolean>;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email?: pulumi.Input<string>;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature?: pulumi.Input<boolean>;
+            externalAccountBinding?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingPatch>;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain?: pulumi.Input<string>;
+            privateKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRefPatch>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify?: pulumi.Input<boolean>;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversPatch>[]>;
+        }
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        interface ClusterIssuerSpecAcmePrivateKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        interface ClusterIssuerSpecAcmePrivateKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        interface ClusterIssuerSpecAcmeSolvers {
+            dns01?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01>;
+            http01?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01>;
+            selector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversSelector>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01 {
+            acmeDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNS>;
+            akamai?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Akamai>;
+            azureDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNS>;
+            cloudDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNS>;
+            cloudflare?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Cloudflare>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Digitalocean>;
+            rfc2136?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136>;
+            route53?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53>;
+            webhook?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Webhook>;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AcmeDNS {
+            accountSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef>;
+            host?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSPatch {
+            accountSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch>;
+            host?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Akamai {
+            accessTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef>;
+            clientTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiPatch {
+            accessTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch>;
+            clientTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef>;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Cloudflare {
+            apiKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef>;
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflarePatch {
+            apiKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch>;
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Digitalocean {
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef>;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanPatch {
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Patch {
+            acmeDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSPatch>;
+            akamai?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiPatch>;
+            azureDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSPatch>;
+            cloudDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSPatch>;
+            cloudflare?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflarePatch>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanPatch>;
+            rfc2136?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136Patch>;
+            route53?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Patch>;
+            webhook?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01WebhookPatch>;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef>;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch>;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef>;
+            auth?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Auth>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53Auth {
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetes>;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetes {
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef>;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch {
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch {
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch>;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch>;
+            auth?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{
+                [key: string]: any;
+            }>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{
+                [key: string]: any;
+            }>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01 {
+            gatewayHTTPRoute?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute>;
+            ingress?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01Ingress>;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs>[]>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch>[]>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls>[]>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplate>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata>;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch>;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpec>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpec {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls>[]>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01Patch {
+            gatewayHTTPRoute?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch>;
+            ingress?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPatch>;
+        }
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        interface ClusterIssuerSpecAcmeSolversPatch {
+            dns01?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Patch>;
+            http01?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01Patch>;
+            selector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversSelectorPatch>;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface ClusterIssuerSpecAcmeSolversSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface ClusterIssuerSpecAcmeSolversSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        interface ClusterIssuerSpecCa {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        interface ClusterIssuerSpecCaPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+        /**
+         * Desired state of the ClusterIssuer resource.
+         */
+        interface ClusterIssuerSpecPatch {
+            acme?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmePatch>;
+            ca?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecCaPatch>;
+            selfSigned?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecSelfSignedPatch>;
+            vault?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultPatch>;
+            venafi?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiPatch>;
+        }
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        interface ClusterIssuerSpecSelfSigned {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        interface ClusterIssuerSpecSelfSignedPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        interface ClusterIssuerSpecVault {
+            auth?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuth>;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultCaBundleSecretRef>;
+            clientCertSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultClientCertSecretRef>;
+            clientKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultClientKeySecretRef>;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        interface ClusterIssuerSpecVaultAuth {
+            appRole?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRole>;
+            clientCertificate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificate>;
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetes>;
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRef>;
+        }
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        interface ClusterIssuerSpecVaultAuthAppRole {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRoleSecretRef>;
+        }
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        interface ClusterIssuerSpecVaultAuthAppRolePatch {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRoleSecretRefPatch>;
+        }
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        interface ClusterIssuerSpecVaultAuthAppRoleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        interface ClusterIssuerSpecVaultAuthAppRoleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        interface ClusterIssuerSpecVaultAuthClientCertificate {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        interface ClusterIssuerSpecVaultAuthClientCertificatePatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetes {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesSecretRef>;
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesServiceAccountRef>;
+        }
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesPatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesSecretRefPatch>;
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesServiceAccountRefPatch>;
+        }
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        interface ClusterIssuerSpecVaultAuthPatch {
+            appRole?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRolePatch>;
+            clientCertificate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificatePatch>;
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesPatch>;
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRefPatch>;
+        }
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        interface ClusterIssuerSpecVaultAuthTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        interface ClusterIssuerSpecVaultAuthTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        interface ClusterIssuerSpecVaultCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        interface ClusterIssuerSpecVaultCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        interface ClusterIssuerSpecVaultClientCertSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        interface ClusterIssuerSpecVaultClientCertSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        interface ClusterIssuerSpecVaultClientKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        interface ClusterIssuerSpecVaultClientKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        interface ClusterIssuerSpecVaultPatch {
+            auth?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthPatch>;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultCaBundleSecretRefPatch>;
+            clientCertSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultClientCertSecretRefPatch>;
+            clientKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultClientKeySecretRefPatch>;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName?: pulumi.Input<string>;
+        }
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        interface ClusterIssuerSpecVenafi {
+            cloud?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiCloud>;
+            tpp?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTpp>;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone?: pulumi.Input<string>;
+        }
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface ClusterIssuerSpecVenafiCloud {
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRef>;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        interface ClusterIssuerSpecVenafiCloudApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        interface ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface ClusterIssuerSpecVenafiCloudPatch {
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch>;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        interface ClusterIssuerSpecVenafiPatch {
+            cloud?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudPatch>;
+            tpp?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppPatch>;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone?: pulumi.Input<string>;
+        }
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface ClusterIssuerSpecVenafiTpp {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRef>;
+            credentialsRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRef>;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        interface ClusterIssuerSpecVenafiTppCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        interface ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        interface ClusterIssuerSpecVenafiTppCredentialsRef {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        interface ClusterIssuerSpecVenafiTppCredentialsRefPatch {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface ClusterIssuerSpecVenafiTppPatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch>;
+            credentialsRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRefPatch>;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * Status of the ClusterIssuer. This is set and managed automatically.
+         */
+        interface ClusterIssuerStatus {
+            acme?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerStatusAcme>;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerStatusConditions>[]>;
+        }
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        interface ClusterIssuerStatusAcme {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash?: pulumi.Input<string>;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail?: pulumi.Input<string>;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri?: pulumi.Input<string>;
+        }
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        interface ClusterIssuerStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * An Issuer represents a certificate issuing authority which can be
+         * referenced as part of `issuerRef` fields.
+         * It is scoped to a single namespace and can therefore only be referenced by
+         * resources within the same namespace.
+         */
+        interface Issuer {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Issuer">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpec>;
+            status?: pulumi.Input<inputs.cert_manager.v1.IssuerStatus>;
+        }
+        /**
+         * Desired state of the Issuer resource.
+         */
+        interface IssuerSpec {
+            acme?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcme>;
+            ca?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecCa>;
+            selfSigned?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecSelfSigned>;
+            vault?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVault>;
+            venafi?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafi>;
+        }
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        interface IssuerSpecAcme {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration?: pulumi.Input<boolean>;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email?: pulumi.Input<string>;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature?: pulumi.Input<boolean>;
+            externalAccountBinding?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBinding>;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain?: pulumi.Input<string>;
+            privateKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRef>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify?: pulumi.Input<boolean>;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolvers>[]>;
+        }
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        interface IssuerSpecAcmeExternalAccountBinding {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm?: pulumi.Input<string>;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID?: pulumi.Input<string>;
+            keySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingKeySecretRef>;
+        }
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        interface IssuerSpecAcmeExternalAccountBindingKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        interface IssuerSpecAcmeExternalAccountBindingKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        interface IssuerSpecAcmeExternalAccountBindingPatch {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm?: pulumi.Input<string>;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID?: pulumi.Input<string>;
+            keySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingKeySecretRefPatch>;
+        }
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        interface IssuerSpecAcmePatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration?: pulumi.Input<boolean>;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email?: pulumi.Input<string>;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature?: pulumi.Input<boolean>;
+            externalAccountBinding?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingPatch>;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain?: pulumi.Input<string>;
+            privateKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRefPatch>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify?: pulumi.Input<boolean>;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversPatch>[]>;
+        }
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        interface IssuerSpecAcmePrivateKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        interface IssuerSpecAcmePrivateKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        interface IssuerSpecAcmeSolvers {
+            dns01?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01>;
+            http01?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01>;
+            selector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversSelector>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface IssuerSpecAcmeSolversDns01 {
+            acmeDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNS>;
+            akamai?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Akamai>;
+            azureDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNS>;
+            cloudDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNS>;
+            cloudflare?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Cloudflare>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Digitalocean>;
+            rfc2136?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136>;
+            route53?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53>;
+            webhook?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Webhook>;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AcmeDNS {
+            accountSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef>;
+            host?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AcmeDNSPatch {
+            accountSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch>;
+            host?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Akamai {
+            accessTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef>;
+            clientTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiPatch {
+            accessTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch>;
+            clientTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef>;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Cloudflare {
+            apiKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef>;
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflarePatch {
+            apiKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch>;
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Digitalocean {
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef>;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01DigitaloceanPatch {
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface IssuerSpecAcmeSolversDns01Patch {
+            acmeDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSPatch>;
+            akamai?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiPatch>;
+            azureDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSPatch>;
+            cloudDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSPatch>;
+            cloudflare?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflarePatch>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanPatch>;
+            rfc2136?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136Patch>;
+            route53?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Patch>;
+            webhook?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01WebhookPatch>;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef>;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch>;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef>;
+            auth?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Auth>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53Auth {
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetes>;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthKubernetes {
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef>;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch {
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthPatch {
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch>;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch>;
+            auth?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthPatch>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{
+                [key: string]: any;
+            }>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{
+                [key: string]: any;
+            }>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface IssuerSpecAcmeSolversHttp01 {
+            gatewayHTTPRoute?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoute>;
+            ingress?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01Ingress>;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs>[]>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch>[]>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls>[]>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface IssuerSpecAcmeSolversHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplate>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressIngressTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata>;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch>;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpec>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpec {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch>[]>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{
+                [key: string]: pulumi.Input<number | string>;
+            }>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls>[]>;
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface IssuerSpecAcmeSolversHttp01Patch {
+            gatewayHTTPRoute?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch>;
+            ingress?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPatch>;
+        }
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        interface IssuerSpecAcmeSolversPatch {
+            dns01?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Patch>;
+            http01?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01Patch>;
+            selector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversSelectorPatch>;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface IssuerSpecAcmeSolversSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface IssuerSpecAcmeSolversSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        interface IssuerSpecCa {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        interface IssuerSpecCaPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+        /**
+         * Desired state of the Issuer resource.
+         */
+        interface IssuerSpecPatch {
+            acme?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmePatch>;
+            ca?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecCaPatch>;
+            selfSigned?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecSelfSignedPatch>;
+            vault?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultPatch>;
+            venafi?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiPatch>;
+        }
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        interface IssuerSpecSelfSigned {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        interface IssuerSpecSelfSignedPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        interface IssuerSpecVault {
+            auth?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuth>;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultCaBundleSecretRef>;
+            clientCertSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultClientCertSecretRef>;
+            clientKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultClientKeySecretRef>;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        interface IssuerSpecVaultAuth {
+            appRole?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthAppRole>;
+            clientCertificate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificate>;
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetes>;
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRef>;
+        }
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        interface IssuerSpecVaultAuthAppRole {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthAppRoleSecretRef>;
+        }
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        interface IssuerSpecVaultAuthAppRolePatch {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthAppRoleSecretRefPatch>;
+        }
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        interface IssuerSpecVaultAuthAppRoleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        interface IssuerSpecVaultAuthAppRoleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        interface IssuerSpecVaultAuthClientCertificate {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        interface IssuerSpecVaultAuthClientCertificatePatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        interface IssuerSpecVaultAuthKubernetes {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesSecretRef>;
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesServiceAccountRef>;
+        }
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        interface IssuerSpecVaultAuthKubernetesPatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesSecretRefPatch>;
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesServiceAccountRefPatch>;
+        }
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        interface IssuerSpecVaultAuthKubernetesSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        interface IssuerSpecVaultAuthKubernetesSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        interface IssuerSpecVaultAuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        interface IssuerSpecVaultAuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        interface IssuerSpecVaultAuthPatch {
+            appRole?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthAppRolePatch>;
+            clientCertificate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificatePatch>;
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesPatch>;
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRefPatch>;
+        }
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        interface IssuerSpecVaultAuthTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        interface IssuerSpecVaultAuthTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        interface IssuerSpecVaultCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        interface IssuerSpecVaultCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        interface IssuerSpecVaultClientCertSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        interface IssuerSpecVaultClientCertSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        interface IssuerSpecVaultClientKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        interface IssuerSpecVaultClientKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        interface IssuerSpecVaultPatch {
+            auth?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthPatch>;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultCaBundleSecretRefPatch>;
+            clientCertSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultClientCertSecretRefPatch>;
+            clientKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultClientKeySecretRefPatch>;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName?: pulumi.Input<string>;
+        }
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        interface IssuerSpecVenafi {
+            cloud?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiCloud>;
+            tpp?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTpp>;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone?: pulumi.Input<string>;
+        }
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface IssuerSpecVenafiCloud {
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRef>;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        interface IssuerSpecVenafiCloudApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        interface IssuerSpecVenafiCloudApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface IssuerSpecVenafiCloudPatch {
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRefPatch>;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        interface IssuerSpecVenafiPatch {
+            cloud?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiCloudPatch>;
+            tpp?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppPatch>;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone?: pulumi.Input<string>;
+        }
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface IssuerSpecVenafiTpp {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRef>;
+            credentialsRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRef>;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        interface IssuerSpecVenafiTppCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        interface IssuerSpecVenafiTppCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        interface IssuerSpecVenafiTppCredentialsRef {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        interface IssuerSpecVenafiTppCredentialsRefPatch {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface IssuerSpecVenafiTppPatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRefPatch>;
+            credentialsRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRefPatch>;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url?: pulumi.Input<string>;
+        }
+        /**
+         * Status of the Issuer. This is set and managed automatically.
+         */
+        interface IssuerStatus {
+            acme?: pulumi.Input<inputs.cert_manager.v1.IssuerStatusAcme>;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerStatusConditions>[]>;
+        }
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        interface IssuerStatusAcme {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash?: pulumi.Input<string>;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail?: pulumi.Input<string>;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri?: pulumi.Input<string>;
+        }
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        interface IssuerStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type?: pulumi.Input<string>;
+        }
+    }
+}
+export declare namespace gateway {
+    namespace v1 {
+        /**
+         * BackendTLSPolicy provides a way to configure how a Gateway
+         * connects to a Backend via TLS.
+         */
+        interface BackendTLSPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"BackendTLSPolicy">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpec>;
+            status?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicyStatus>;
+        }
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicySpec {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecTargetRefs>[]>;
+            validation?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidation>;
+        }
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicySpecPatch {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecTargetRefsPatch>[]>;
+            validation?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationPatch>;
+        }
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        interface BackendTLSPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        interface BackendTLSPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        interface BackendTLSPolicySpecValidation {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefs>[]>;
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNames>[]>;
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface BackendTLSPolicySpecValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface BackendTLSPolicySpecValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        interface BackendTLSPolicySpecValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefsPatch>[]>;
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNamesPatch>[]>;
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates?: pulumi.Input<string>;
+        }
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        interface BackendTLSPolicySpecValidationSubjectAltNames {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri?: pulumi.Input<string>;
+        }
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        interface BackendTLSPolicySpecValidationSubjectAltNamesPatch {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicyStatusAncestors>[]>;
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface BackendTLSPolicyStatusAncestors {
+            ancestorRef?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRef>;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface BackendTLSPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface BackendTLSPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * GRPCRoute provides a way to route gRPC requests. This includes the capability
+         * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+         * Filters can be used to specify additional processing steps. Backends specify
+         * where matching requests will be routed.
+         *
+         * GRPCRoute falls under extended support within the Gateway API. Within the
+         * following specification, the word "MUST" indicates that an implementation
+         * supporting GRPCRoute must conform to the indicated requirement, but an
+         * implementation not supporting this route type need not follow the requirement
+         * unless explicitly indicated.
+         *
+         * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+         * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+         * ALPN. If the implementation does not support this, then it MUST set the
+         * "Accepted" condition to "False" for the affected listener with a reason of
+         * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+         * with an upgrade from HTTP/1.
+         *
+         * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+         * support HTTP/2 over cleartext TCP (h2c,
+         * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+         * upgrade from HTTP/1.1, i.e. with prior knowledge
+         * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+         * does not support this, then it MUST set the "Accepted" condition to "False"
+         * for the affected listener with a reason of "UnsupportedProtocol".
+         * Implementations MAY also accept HTTP/2 connections with an upgrade from
+         * HTTP/1, i.e. without prior knowledge.
+         */
+        interface GRPCRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"GRPCRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1.GRPCRouteStatus>;
+        }
+        /**
+         * Spec defines the desired state of GRPCRoute.
+         */
+        interface GRPCRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames to match against the GRPC
+             * Host header to select a GRPCRoute to process the request. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label MUST appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and GRPCRoute, there
+             * MUST be at least one intersecting hostname for the GRPCRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, any
+             * GRPCRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * GRPCRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` MUST NOT be considered for a match.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, and none
+             * match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+             * the implementation. The implementation MUST raise an 'Accepted' Condition
+             * with a status of `False` in the corresponding RouteParentStatus.
+             *
+             * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+             * Listener and that listener already has another Route (B) of the other
+             * type attached and the intersection of the hostnames of A and B is
+             * non-empty, then the implementation MUST accept exactly one of these two
+             * routes, determined by the following criteria, in order:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * The rejected Route MUST raise an 'Accepted' condition with a status of
+             * 'False' in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of GRPC matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface GRPCRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface GRPCRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of GRPCRoute.
+         */
+        interface GRPCRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames to match against the GRPC
+             * Host header to select a GRPCRoute to process the request. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label MUST appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and GRPCRoute, there
+             * MUST be at least one intersecting hostname for the GRPCRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, any
+             * GRPCRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * GRPCRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` MUST NOT be considered for a match.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, and none
+             * match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+             * the implementation. The implementation MUST raise an 'Accepted' Condition
+             * with a status of `False` in the corresponding RouteParentStatus.
+             *
+             * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+             * Listener and that listener already has another Route (B) of the other
+             * type attached and the intersection of the hostnames of A and B is
+             * non-empty, then the implementation MUST accept exactly one of these two
+             * routes, determined by the following criteria, in order:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * The rejected Route MUST raise an 'Accepted' condition with a status of
+             * 'False' in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of GRPC matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * GRPCRouteRule defines the semantics for matching a gRPC request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface GRPCRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive an `UNAVAILABLE` status.
+             *
+             * See the GRPCBackendRef definition for the rules about what makes a single
+             * GRPCBackendRef invalid.
+             *
+             * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive an `UNAVAILABLE` status.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+             * Implementations may choose how that 50 percent is determined.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * The effects of ordering of multiple behaviors are currently unspecified.
+             * This can change in the future based on feedback during the alpha stage.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations that support
+             *   GRPCRoute.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * If an implementation cannot support a combination of filters, it must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFilters>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * gRPC requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - method:
+             *     service: foo.bar
+             *   headers:
+             *     values:
+             *       version: 2
+             * - method:
+             *     service: foo.bar.v2
+             * ```
+             *
+             * For a request to match against this rule, it MUST satisfy
+             * EITHER of the two conditions:
+             *
+             * - service of foo.bar AND contains the header `version: 2`
+             * - service of foo.bar.v2
+             *
+             * See the documentation for GRPCRouteMatch on how to specify multiple
+             * match conditions to be ANDed together.
+             *
+             * If no matches are specified, the implementation MUST match every gRPC request.
+             *
+             * Proxy or Load Balancer routing configuration generated from GRPCRoutes
+             * MUST prioritize rules based on the following criteria, continuing on
+             * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+             * Precedence MUST be given to the rule with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             * * Characters in a matching service.
+             * * Characters in a matching method.
+             * * Header matches.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within the Route that has been given precedence,
+             * matching precedence MUST be granted to the first matching rule meeting
+             * the above criteria.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatches>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesSessionPersistence>;
+        }
+        /**
+         * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface GRPCRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level MUST be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in GRPCRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFilters>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFilters {
+            extensionRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersExtensionRef>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirror>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersPatch {
+            extensionRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface GRPCRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level MUST be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in GRPCRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersPatch>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface GRPCRouteSpecRulesFilters {
+            extensionRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersExtensionRef>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirror>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        interface GRPCRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        interface GRPCRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface GRPCRouteSpecRulesFiltersPatch {
+            extensionRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersExtensionRefPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * GRPCRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a gRPC request only if its service
+         * is `foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * matches:
+         *   - method:
+         *     type: Exact
+         *     service: "foo"
+         *     headers:
+         *   - name: "version"
+         *     value "v1"
+         *
+         * ```
+         */
+        interface GRPCRouteSpecRulesMatches {
+            /**
+             * Headers specifies gRPC request header matchers. Multiple match values are
+             * ANDed together, meaning, a request MUST match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesHeaders>[]>;
+            method?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesMethod>;
+        }
+        /**
+         * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+         * headers.
+         */
+        interface GRPCRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the gRPC Header to be matched.
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of the gRPC Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+         * headers.
+         */
+        interface GRPCRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the gRPC Header to be matched.
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of the gRPC Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Method specifies a gRPC request service/method matcher. If this field is
+         * not specified, all services and methods will match.
+         */
+        interface GRPCRouteSpecRulesMatchesMethod {
+            /**
+             * Value of the method to match against. If left empty or omitted, will
+             * match all services.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            method?: pulumi.Input<string>;
+            /**
+             * Value of the service to match against. If left empty or omitted, will
+             * match any service.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            service?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the service and/or method.
+             * Support: Core (Exact with service and method specified)
+             *
+             * Support: Implementation-specific (Exact with method specified but no service specified)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Method specifies a gRPC request service/method matcher. If this field is
+         * not specified, all services and methods will match.
+         */
+        interface GRPCRouteSpecRulesMatchesMethodPatch {
+            /**
+             * Value of the method to match against. If left empty or omitted, will
+             * match all services.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            method?: pulumi.Input<string>;
+            /**
+             * Value of the service to match against. If left empty or omitted, will
+             * match any service.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            service?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the service and/or method.
+             * Support: Core (Exact with service and method specified)
+             *
+             * Support: Implementation-specific (Exact with method specified but no service specified)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * GRPCRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a gRPC request only if its service
+         * is `foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * matches:
+         *   - method:
+         *     type: Exact
+         *     service: "foo"
+         *     headers:
+         *   - name: "version"
+         *     value "v1"
+         *
+         * ```
+         */
+        interface GRPCRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies gRPC request header matchers. Multiple match values are
+             * ANDed together, meaning, a request MUST match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesHeadersPatch>[]>;
+            method?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesMethodPatch>;
+        }
+        /**
+         * GRPCRouteRule defines the semantics for matching a gRPC request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface GRPCRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive an `UNAVAILABLE` status.
+             *
+             * See the GRPCBackendRef definition for the rules about what makes a single
+             * GRPCBackendRef invalid.
+             *
+             * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive an `UNAVAILABLE` status.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+             * Implementations may choose how that 50 percent is determined.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * The effects of ordering of multiple behaviors are currently unspecified.
+             * This can change in the future based on feedback during the alpha stage.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations that support
+             *   GRPCRoute.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * If an implementation cannot support a combination of filters, it must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersPatch>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * gRPC requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - method:
+             *     service: foo.bar
+             *   headers:
+             *     values:
+             *       version: 2
+             * - method:
+             *     service: foo.bar.v2
+             * ```
+             *
+             * For a request to match against this rule, it MUST satisfy
+             * EITHER of the two conditions:
+             *
+             * - service of foo.bar AND contains the header `version: 2`
+             * - service of foo.bar.v2
+             *
+             * See the documentation for GRPCRouteMatch on how to specify multiple
+             * match conditions to be ANDed together.
+             *
+             * If no matches are specified, the implementation MUST match every gRPC request.
+             *
+             * Proxy or Load Balancer routing configuration generated from GRPCRoutes
+             * MUST prioritize rules based on the following criteria, continuing on
+             * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+             * Precedence MUST be given to the rule with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             * * Characters in a matching service.
+             * * Characters in a matching method.
+             * * Header matches.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within the Route that has been given precedence,
+             * matching precedence MUST be granted to the first matching rule meeting
+             * the above criteria.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesSessionPersistencePatch>;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesSessionPersistenceCookieConfig>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of GRPCRoute.
+         */
+        interface GRPCRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteStatusParents>[]>;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface GRPCRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteStatusParentsParentRef>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GRPCRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface GRPCRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Gateway represents an instance of a service-traffic handling infrastructure
+         * by binding Listeners to a set of IP addresses.
+         */
+        interface Gateway {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Gateway">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.GatewaySpec>;
+            status?: pulumi.Input<inputs.gateway.v1.GatewayStatus>;
+        }
+        /**
+         * GatewayClass describes a class of Gateways available to the user for creating
+         * Gateway resources.
+         *
+         * It is recommended that this resource be used as a template for Gateways. This
+         * means that a Gateway is based on the state of the GatewayClass at the time it
+         * was created and changes to the GatewayClass or associated parameters are not
+         * propagated down to existing Gateways. This recommendation is intended to
+         * limit the blast radius of changes to GatewayClass or associated parameters.
+         * If implementations choose to propagate GatewayClass changes to existing
+         * Gateways, that MUST be clearly documented by the implementation.
+         *
+         * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+         * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+         * associated GatewayClass. This ensures that a GatewayClass associated with a
+         * Gateway is not deleted while in use.
+         *
+         * GatewayClass is a Cluster level resource.
+         */
+        interface GatewayClass {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"GatewayClass">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.GatewayClassSpec>;
+            status?: pulumi.Input<inputs.gateway.v1.GatewayClassStatus>;
+        }
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        interface GatewayClassSpec {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1.GatewayClassSpecParametersRef>;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewayClassSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewayClassSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        interface GatewayClassSpecPatch {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1.GatewayClassSpecParametersRefPatch>;
+        }
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        interface GatewayClassStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayClassStatusConditions>[]>;
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayClassStatusSupportedFeatures>[]>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayClassStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        interface GatewayClassStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        interface GatewaySpec {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecAddresses>[]>;
+            allowedListeners?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListeners>;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope?: pulumi.Input<string>;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName?: pulumi.Input<string>;
+            infrastructure?: pulumi.Input<inputs.gateway.v1.GatewaySpecInfrastructure>;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListeners>[]>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecTls>;
+        }
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        interface GatewaySpecAddresses {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        interface GatewaySpecAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListeners {
+            namespaces?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespaces>;
+        }
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersNamespaces {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelector>;
+        }
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersNamespacesPatch {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorPatch>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersPatch {
+            namespaces?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesPatch>;
+        }
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecInfrastructure {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1.GatewaySpecInfrastructureParametersRef>;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewaySpecInfrastructureParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewaySpecInfrastructureParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecInfrastructurePatch {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1.GatewaySpecInfrastructureParametersRefPatch>;
+        }
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        interface GatewaySpecListeners {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutes>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersTls>;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesKinds>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespaces>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewaySpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewaySpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelector>;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesKindsPatch>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesPatch>;
+        }
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        interface GatewaySpecListenersPatch {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesPatch>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersTlsPatch>;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersTlsCertificateRefs>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersTlsCertificateRefsPatch>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        interface GatewaySpecPatch {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecAddressesPatch>[]>;
+            allowedListeners?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersPatch>;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope?: pulumi.Input<string>;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName?: pulumi.Input<string>;
+            infrastructure?: pulumi.Input<inputs.gateway.v1.GatewaySpecInfrastructurePatch>;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersPatch>[]>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsPatch>;
+        }
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecTls {
+            backend?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsBackend>;
+            frontend?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontend>;
+        }
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackend {
+            clientCertificateRef?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRef>;
+        }
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendClientCertificateRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendClientCertificateRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendPatch {
+            clientCertificateRef?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRefPatch>;
+        }
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontend {
+            default?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefault>;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPort>[]>;
+        }
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        interface GatewaySpecTlsFrontendDefault {
+            validation?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidation>;
+        }
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultPatch {
+            validation?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationPatch>;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPatch {
+            default?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultPatch>;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortPatch>[]>;
+        }
+        interface GatewaySpecTlsFrontendPerPort {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTls>;
+        }
+        interface GatewaySpecTlsFrontendPerPortPatch {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsPatch>;
+        }
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTls {
+            validation?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidation>;
+        }
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsPatch {
+            validation?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationPatch>;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecTlsPatch {
+            backend?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsBackendPatch>;
+            frontend?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPatch>;
+        }
+        /**
+         * Status defines the current state of Gateway.
+         */
+        interface GatewayStatus {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusAddresses>[]>;
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusConditions>[]>;
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusListeners>[]>;
+        }
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        interface GatewayStatusAddresses {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface GatewayStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes?: pulumi.Input<number>;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusListenersConditions>[]>;
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusListenersSupportedKinds>[]>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewayStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRoute provides a way to route HTTP requests. This includes the capability
+         * to match requests by hostname, path, header, or query param. Filters can be
+         * used to specify additional processing steps. Backends specify where matching
+         * requests should be routed.
+         */
+        interface HTTPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"HTTPRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1.HTTPRouteStatus>;
+        }
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        interface HTTPRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface HTTPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface HTTPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        interface HTTPRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface HTTPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFilters>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatches>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            retry?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesRetry>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesSessionPersistence>;
+            timeouts?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesTimeouts>;
+        }
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface HTTPRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFilters>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFilters {
+            cors?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCors>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite>;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody>;
+            grpc?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc>;
+            http?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch>;
+            grpc?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch>;
+            http?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersPatch {
+            cors?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath>;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch>;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface HTTPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersPatch>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesFilters {
+            cors?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersCors>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRef>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuth>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirror>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirect>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewrite>;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuth {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody>;
+            grpc?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpc>;
+            http?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttp>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch>;
+            grpc?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch>;
+            http?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesFiltersPatch {
+            cors?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersCorsPatch>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRefPatch>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorPatch>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePatch>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPath>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPathPatch>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePath>;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePathPatch>;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        interface HTTPRouteSpecRulesMatches {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesHeaders>[]>;
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesPath>;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParams>[]>;
+        }
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        interface HTTPRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        interface HTTPRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        interface HTTPRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesHeadersPatch>[]>;
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesPathPatch>;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParamsPatch>[]>;
+        }
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        interface HTTPRouteSpecRulesMatchesPath {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        interface HTTPRouteSpecRulesMatchesPathPatch {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        interface HTTPRouteSpecRulesMatchesQueryParams {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        interface HTTPRouteSpecRulesMatchesQueryParamsPatch {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface HTTPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersPatch>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            retry?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesRetryPatch>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesSessionPersistencePatch>;
+            timeouts?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesTimeoutsPatch>;
+        }
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesRetry {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts?: pulumi.Input<number>;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff?: pulumi.Input<string>;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes?: pulumi.Input<pulumi.Input<number>[]>;
+        }
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesRetryPatch {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts?: pulumi.Input<number>;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff?: pulumi.Input<string>;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes?: pulumi.Input<pulumi.Input<number>[]>;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesSessionPersistenceCookieConfig>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesTimeouts {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest?: pulumi.Input<string>;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request?: pulumi.Input<string>;
+        }
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesTimeoutsPatch {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest?: pulumi.Input<string>;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        interface HTTPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteStatusParents>[]>;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface HTTPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteStatusParentsParentRef>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface HTTPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface HTTPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+    }
+    namespace v1alpha1 {
+        /**
+         * XBackendTrafficPolicy defines the configuration for how traffic to a
+         * target backend should be handled.
+         */
+        interface XBackendTrafficPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"XBackendTrafficPolicy">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicyStatus>;
+        }
+        /**
+         * Spec defines the desired state of BackendTrafficPolicy.
+         */
+        interface XBackendTrafficPolicySpec {
+            retryConstraint?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraint>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistence>;
+            /**
+             * TargetRefs identifies API object(s) to apply this policy to.
+             * Currently, Backends (A grouping of like endpoints such as Service,
+             * ServiceImport, or any implementation-specific backendRef) are the only
+             * valid API target references.
+             *
+             * Currently, a TargetRef can not be scoped to a specific port on a
+             * Service.
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefs>[]>;
+        }
+        /**
+         * Spec defines the desired state of BackendTrafficPolicy.
+         */
+        interface XBackendTrafficPolicySpecPatch {
+            retryConstraint?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintPatch>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistencePatch>;
+            /**
+             * TargetRefs identifies API object(s) to apply this policy to.
+             * Currently, Backends (A grouping of like endpoints such as Service,
+             * ServiceImport, or any implementation-specific backendRef) are the only
+             * valid API target references.
+             *
+             * Currently, a TargetRef can not be scoped to a specific port on a
+             * Service.
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefsPatch>[]>;
+        }
+        /**
+         * RetryConstraint defines the configuration for when to allow or prevent
+         * further retries to a target backend, by dynamically calculating a 'retry
+         * budget'. This budget is calculated based on the percentage of incoming
+         * traffic composed of retries over a given time interval. Once the budget
+         * is exceeded, additional retries will be rejected.
+         *
+         * For example, if the retry budget interval is 10 seconds, there have been
+         * 1000 active requests in the past 10 seconds, and the allowed percentage
+         * of requests that can be retried is 20% (the default), then 200 of those
+         * requests may be composed of retries. Active requests will only be
+         * considered for the duration of the interval when calculating the retry
+         * budget. Retrying the same original request multiple times within the
+         * retry budget interval will lead to each retry being counted towards
+         * calculating the budget.
+         *
+         * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+         * HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+         * backend. While the HTTPRouteRule Retry stanza can specify whether a
+         * request will be retried, and the number of retry attempts each client
+         * may perform, RetryConstraint helps prevent cascading failures such as
+         * retry storms during periods of consistent failures.
+         *
+         * After the retry budget has been exceeded, additional retries to the
+         * backend MUST return a 503 response to the client.
+         *
+         * Additional configurations for defining a constraint on retries MAY be
+         * defined in the future.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecRetryConstraint {
+            budget?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudget>;
+            minRetryRate?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRate>;
+        }
+        /**
+         * Budget holds the details of the retry budget configuration.
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintBudget {
+            /**
+             * Interval defines the duration in which requests will be considered
+             * for calculating the budget for retries.
+             *
+             * Support: Extended
+             */
+            interval?: pulumi.Input<string>;
+            /**
+             * Percent defines the maximum percentage of active requests that may
+             * be made up of retries.
+             *
+             * Support: Extended
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * Budget holds the details of the retry budget configuration.
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintBudgetPatch {
+            /**
+             * Interval defines the duration in which requests will be considered
+             * for calculating the budget for retries.
+             *
+             * Support: Extended
+             */
+            interval?: pulumi.Input<string>;
+            /**
+             * Percent defines the maximum percentage of active requests that may
+             * be made up of retries.
+             *
+             * Support: Extended
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * MinRetryRate defines the minimum rate of retries that will be allowable
+         * over a specified duration of time.
+         *
+         * The effective overall minimum rate of retries targeting the backend
+         * service may be much higher, as there can be any number of clients which
+         * are applying this setting locally.
+         *
+         * This ensures that requests can still be retried during periods of low
+         * traffic, where the budget for retries may be calculated as a very low
+         * value.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintMinRetryRate {
+            /**
+             * Count specifies the number of requests per time interval.
+             *
+             * Support: Extended
+             */
+            count?: pulumi.Input<number>;
+            /**
+             * Interval specifies the divisor of the rate of requests, the amount of
+             * time during which the given count of requests occur.
+             *
+             * Support: Extended
+             */
+            interval?: pulumi.Input<string>;
+        }
+        /**
+         * MinRetryRate defines the minimum rate of retries that will be allowable
+         * over a specified duration of time.
+         *
+         * The effective overall minimum rate of retries targeting the backend
+         * service may be much higher, as there can be any number of clients which
+         * are applying this setting locally.
+         *
+         * This ensures that requests can still be retried during periods of low
+         * traffic, where the budget for retries may be calculated as a very low
+         * value.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch {
+            /**
+             * Count specifies the number of requests per time interval.
+             *
+             * Support: Extended
+             */
+            count?: pulumi.Input<number>;
+            /**
+             * Interval specifies the divisor of the rate of requests, the amount of
+             * time during which the given count of requests occur.
+             *
+             * Support: Extended
+             */
+            interval?: pulumi.Input<string>;
+        }
+        /**
+         * RetryConstraint defines the configuration for when to allow or prevent
+         * further retries to a target backend, by dynamically calculating a 'retry
+         * budget'. This budget is calculated based on the percentage of incoming
+         * traffic composed of retries over a given time interval. Once the budget
+         * is exceeded, additional retries will be rejected.
+         *
+         * For example, if the retry budget interval is 10 seconds, there have been
+         * 1000 active requests in the past 10 seconds, and the allowed percentage
+         * of requests that can be retried is 20% (the default), then 200 of those
+         * requests may be composed of retries. Active requests will only be
+         * considered for the duration of the interval when calculating the retry
+         * budget. Retrying the same original request multiple times within the
+         * retry budget interval will lead to each retry being counted towards
+         * calculating the budget.
+         *
+         * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+         * HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+         * backend. While the HTTPRouteRule Retry stanza can specify whether a
+         * request will be retried, and the number of retry attempts each client
+         * may perform, RetryConstraint helps prevent cascading failures such as
+         * retry storms during periods of consistent failures.
+         *
+         * After the retry budget has been exceeded, additional retries to the
+         * backend MUST return a 503 response to the client.
+         *
+         * Additional configurations for defining a constraint on retries MAY be
+         * defined in the future.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintPatch {
+            budget?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudgetPatch>;
+            minRetryRate?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch>;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the backend.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfig>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface XBackendTrafficPolicySpecSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the backend.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * LocalPolicyTargetReference identifies an API object to apply a direct or
+         * inherited policy to. This should be used as part of Policy resources
+         * that can target Gateway API resources. For more information on how this
+         * policy attachment model works, and a sample Policy resource, refer to
+         * the policy attachment documentation for Gateway API.
+         */
+        interface XBackendTrafficPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalPolicyTargetReference identifies an API object to apply a direct or
+         * inherited policy to. This should be used as part of Policy resources
+         * that can target Gateway API resources. For more information on how this
+         * policy attachment model works, and a sample Policy resource, refer to
+         * the policy attachment documentation for Gateway API.
+         */
+        interface XBackendTrafficPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of BackendTrafficPolicy.
+         */
+        interface XBackendTrafficPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestors>[]>;
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface XBackendTrafficPolicyStatusAncestors {
+            ancestorRef?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRef>;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface XBackendTrafficPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XBackendTrafficPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+         * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+         *
+         * The parent Gateway must explicitly allow ListenerSet attachment through its
+         * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+         * attachment.
+         *
+         * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+         * optionally target specific listeners using the sectionName field.
+         *
+         * Policy Attachment:
+         * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+         * - Policies do not impact listeners in the parent Gateway
+         * - Different ListenerSets attached to the same Gateway can have different policies
+         * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+         *
+         * ReferenceGrant Semantics:
+         * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+         * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+         * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+         *
+         * Gateway Integration:
+         * - The parent Gateway's status will include an "AttachedListenerSets" condition
+         * - This condition will be:
+         *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+         *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+         *   - Unknown: when no AllowedListeners config is present
+         */
+        interface XListenerSet {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"XListenerSet">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatus>;
+        }
+        /**
+         * Spec defines the desired state of ListenerSet.
+         */
+        interface XListenerSetSpec {
+            /**
+             * Listeners associated with this ListenerSet. Listeners define
+             * logical endpoints that are bound on this referenced parent Gateway's addresses.
+             *
+             * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+             * as a list when programming the underlying infrastructure. Each listener
+             * name does not need to be unique across the Gateway and ListenerSets.
+             * See ListenerEntry.Name for more details.
+             *
+             * Implementations MUST treat the parent Gateway as having the merged
+             * list of all listeners from itself and attached ListenerSets using
+             * the following precedence:
+             *
+             * 1. "parent" Gateway
+             * 2. ListenerSet ordered by creation time (oldest first)
+             * 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+             *
+             * An implementation MAY reject listeners by setting the ListenerEntryStatus
+             * `Accepted` condition to False with the Reason `TooManyListeners`
+             *
+             * If a listener has a conflict, this will be reported in the
+             * Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+             *
+             * Implementations SHOULD be cautious about what information from the
+             * parent or siblings are reported to avoid accidentally leaking
+             * sensitive information that the child would not otherwise have access
+             * to. This can include contents of secrets etc.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListeners>[]>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecParentRef>;
+        }
+        interface XListenerSetSpecListeners {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutes>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+             *   protocol layers as described above. If an implementation does not
+             *   ensure that both the SNI and Host header match the Listener hostname,
+             *   it MUST clearly document that.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * ListenerSet.
+             *
+             * Name is not required to be unique across a Gateway and ListenerSets.
+             * Routes can attach to a Listener by having a ListenerSet as a parentRef
+             * and setting the SectionName
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * If the port is not set or specified as zero, the implementation will assign
+             * a unique port. If the implementation does not support dynamic port
+             * assignment, it MUST set `Accepted` condition to `False` with the
+             * `UnsupportedPort` reason.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersTls>;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         */
+        interface XListenerSetSpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKinds>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespaces>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelector>;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKindsPatch>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesPatch>;
+        }
+        interface XListenerSetSpecListenersPatch {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesPatch>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+             *   protocol layers as described above. If an implementation does not
+             *   ensure that both the SNI and Host header match the Listener hostname,
+             *   it MUST clearly document that.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * ListenerSet.
+             *
+             * Name is not required to be unique across a Gateway and ListenerSets.
+             * Routes can attach to a Listener by having a ListenerSet as a parentRef
+             * and setting the SectionName
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * If the port is not set or specified as zero, the implementation will assign
+             * a unique port. If the implementation does not support dynamic port
+             * assignment, it MUST set `Accepted` condition to `False` with the
+             * `UnsupportedPort` reason.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersTlsPatch>;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         */
+        interface XListenerSetSpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefs>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface XListenerSetSpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface XListenerSetSpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         */
+        interface XListenerSetSpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefsPatch>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * ParentRef references the Gateway that the listeners are attached to.
+         */
+        interface XListenerSetSpecParentRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Gateway".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.  If not present,
+             * the namespace of the referent is assumed to be the same as
+             * the namespace of the referring object.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ParentRef references the Gateway that the listeners are attached to.
+         */
+        interface XListenerSetSpecParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Gateway".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.  If not present,
+             * the namespace of the referent is assumed to be the same as
+             * the namespace of the referring object.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of ListenerSet.
+         */
+        interface XListenerSetSpecPatch {
+            /**
+             * Listeners associated with this ListenerSet. Listeners define
+             * logical endpoints that are bound on this referenced parent Gateway's addresses.
+             *
+             * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+             * as a list when programming the underlying infrastructure. Each listener
+             * name does not need to be unique across the Gateway and ListenerSets.
+             * See ListenerEntry.Name for more details.
+             *
+             * Implementations MUST treat the parent Gateway as having the merged
+             * list of all listeners from itself and attached ListenerSets using
+             * the following precedence:
+             *
+             * 1. "parent" Gateway
+             * 2. ListenerSet ordered by creation time (oldest first)
+             * 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+             *
+             * An implementation MAY reject listeners by setting the ListenerEntryStatus
+             * `Accepted` condition to False with the Reason `TooManyListeners`
+             *
+             * If a listener has a conflict, this will be reported in the
+             * Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+             *
+             * Implementations SHOULD be cautious about what information from the
+             * parent or siblings are reported to avoid accidentally leaking
+             * sensitive information that the child would not otherwise have access
+             * to. This can include contents of secrets etc.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersPatch>[]>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecParentRefPatch>;
+        }
+        /**
+         * Status defines the current state of ListenerSet.
+         */
+        interface XListenerSetStatus {
+            /**
+             * Conditions describe the current conditions of the ListenerSet.
+             *
+             * Implementations MUST express ListenerSet conditions using the
+             * `ListenerSetConditionType` and `ListenerSetConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe ListenerSet state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatusConditions>[]>;
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatusListeners>[]>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XListenerSetStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface XListenerSetStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes?: pulumi.Input<number>;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatusListenersConditions>[]>;
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port the listener is configured to listen on.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKinds>[]>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XListenerSetStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface XListenerSetStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+         */
+        interface XMesh {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"XMesh">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha1.XMeshStatus>;
+        }
+        /**
+         * Spec defines the desired state of XMesh.
+         */
+        interface XMeshSpec {
+            /**
+             * ControllerName is the name of a controller that is managing Gateway API
+             * resources for mesh traffic management. The value of this field MUST be a
+             * domain prefixed path.
+             *
+             * Example: "example.com/awesome-mesh".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description optionally provides a human-readable description of a Mesh.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpecParametersRef>;
+        }
+        /**
+         * ParametersRef is an optional reference to a resource that contains
+         * implementation-specific configuration for this Mesh. If no
+         * implementation-specific parameters are needed, this field MUST be
+         * omitted.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e.
+         * ConfigMap, or an implementation-specific custom resource. The resource
+         * can be cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Mesh MUST be rejected
+         * with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface XMeshSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ParametersRef is an optional reference to a resource that contains
+         * implementation-specific configuration for this Mesh. If no
+         * implementation-specific parameters are needed, this field MUST be
+         * omitted.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e.
+         * ConfigMap, or an implementation-specific custom resource. The resource
+         * can be cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Mesh MUST be rejected
+         * with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface XMeshSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of XMesh.
+         */
+        interface XMeshSpecPatch {
+            /**
+             * ControllerName is the name of a controller that is managing Gateway API
+             * resources for mesh traffic management. The value of this field MUST be a
+             * domain prefixed path.
+             *
+             * Example: "example.com/awesome-mesh".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description optionally provides a human-readable description of a Mesh.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpecParametersRefPatch>;
+        }
+        /**
+         * Status defines the current state of XMesh.
+         */
+        interface XMeshStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this Mesh.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of MeshConditionType for the type of each Condition.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XMeshStatusConditions>[]>;
+            /**
+             * SupportedFeatures is the set of features the Mesh support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XMeshStatusSupportedFeatures>[]>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XMeshStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        interface XMeshStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name?: pulumi.Input<string>;
+        }
+    }
+    namespace v1alpha2 {
+        /**
+         * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+         * listener, it can be used to forward connections on the port specified by the
+         * listener to a set of backends specified by the TCPRoute.
+         */
+        interface TCPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"TCPRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteStatus>;
+        }
+        /**
+         * Spec defines the desired state of TCPRoute.
+         */
+        interface TCPRouteSpec {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of TCP matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TCPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TCPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of TCPRoute.
+         */
+        interface TCPRouteSpecPatch {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of TCP matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * TCPRouteRule is the configuration for a given rule.
+         */
+        interface TCPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Connection rejections must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * connections, then 80% of connections must be rejected instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TCPRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TCPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * TCPRouteRule is the configuration for a given rule.
+         */
+        interface TCPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Connection rejections must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * connections, then 80% of connections must be rejected instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of TCPRoute.
+         */
+        interface TCPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteStatusParents>[]>;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TCPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteStatusParentsParentRef>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TCPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TCPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * The TLSRoute resource is similar to TCPRoute, but can be configured
+         * to match against TLS-specific metadata. This allows more flexibility
+         * in matching streams for a given TLS listener.
+         *
+         * If you need to forward traffic to a single target for a TLS listener, you
+         * could choose to use a TCPRoute with a TLS listener.
+         */
+        interface TLSRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"TLSRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteStatus>;
+        }
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        interface TLSRouteSpec {
+            /**
+             * Hostnames defines a set of SNI names that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI names per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of TLS matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TLSRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TLSRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        interface TLSRouteSpecPatch {
+            /**
+             * Hostnames defines a set of SNI names that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI names per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of TLS matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        interface TLSRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TLSRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TLSRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        interface TLSRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        interface TLSRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteStatusParents>[]>;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TLSRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteStatusParentsParentRef>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TLSRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TLSRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+         * listener, it can be used to forward traffic on the port specified by the
+         * listener to a set of backends specified by the UDPRoute.
+         */
+        interface UDPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"UDPRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteStatus>;
+        }
+        /**
+         * Spec defines the desired state of UDPRoute.
+         */
+        interface UDPRouteSpec {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of UDP matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface UDPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface UDPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of UDPRoute.
+         */
+        interface UDPRouteSpecPatch {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of UDP matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * UDPRouteRule is the configuration for a given rule.
+         */
+        interface UDPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Packet drops must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * the packets, then 80% of packets must be dropped instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface UDPRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface UDPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * UDPRouteRule is the configuration for a given rule.
+         */
+        interface UDPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Packet drops must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * the packets, then 80% of packets must be dropped instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of UDPRoute.
+         */
+        interface UDPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteStatusParents>[]>;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface UDPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteStatusParentsParentRef>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface UDPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface UDPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+    }
+    namespace v1alpha3 {
+        /**
+         * BackendTLSPolicy provides a way to configure how a Gateway
+         * connects to a Backend via TLS.
+         */
+        interface BackendTLSPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"BackendTLSPolicy">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicyStatus>;
+        }
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicySpec {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefs>[]>;
+            validation?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidation>;
+        }
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicySpecPatch {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefsPatch>[]>;
+            validation?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationPatch>;
+        }
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        interface BackendTLSPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        interface BackendTLSPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        interface BackendTLSPolicySpecValidation {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefs>[]>;
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNames>[]>;
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface BackendTLSPolicySpecValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface BackendTLSPolicySpecValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        interface BackendTLSPolicySpecValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefsPatch>[]>;
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNamesPatch>[]>;
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates?: pulumi.Input<string>;
+        }
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        interface BackendTLSPolicySpecValidationSubjectAltNames {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri?: pulumi.Input<string>;
+        }
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        interface BackendTLSPolicySpecValidationSubjectAltNamesPatch {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestors>[]>;
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface BackendTLSPolicyStatusAncestors {
+            ancestorRef?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsAncestorRef>;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface BackendTLSPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface BackendTLSPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * The TLSRoute resource is similar to TCPRoute, but can be configured
+         * to match against TLS-specific metadata. This allows more flexibility
+         * in matching streams for a given TLS listener.
+         *
+         * If you need to forward traffic to a single target for a TLS listener, you
+         * could choose to use a TCPRoute with a TLS listener.
+         */
+        interface TLSRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"TLSRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteStatus>;
+        }
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        interface TLSRouteSpec {
+            /**
+             * Hostnames defines a set of SNI hostnames that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI hostnames per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one of `test.example.com` or
+             *   `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one hostname that matches the Listener
+             *   hostname. For example, `test.example.com` and `*.example.com` would both
+             *   match. On the other hand, `example.com` and `test.example.net` would not
+             *   match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TLSRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TLSRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        interface TLSRouteSpecPatch {
+            /**
+             * Hostnames defines a set of SNI hostnames that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI hostnames per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one of `test.example.com` or
+             *   `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one hostname that matches the Listener
+             *   hostname. For example, `test.example.com` and `*.example.com` would both
+             *   match. On the other hand, `example.com` and `test.example.net` would not
+             *   match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        interface TLSRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TLSRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TLSRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        interface TLSRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        interface TLSRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteStatusParents>[]>;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TLSRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteStatusParentsParentRef>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TLSRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TLSRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+    }
+    namespace v1beta1 {
+        /**
+         * Gateway represents an instance of a service-traffic handling infrastructure
+         * by binding Listeners to a set of IP addresses.
+         */
+        interface Gateway {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Gateway">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpec>;
+            status?: pulumi.Input<inputs.gateway.v1beta1.GatewayStatus>;
+        }
+        /**
+         * GatewayClass describes a class of Gateways available to the user for creating
+         * Gateway resources.
+         *
+         * It is recommended that this resource be used as a template for Gateways. This
+         * means that a Gateway is based on the state of the GatewayClass at the time it
+         * was created and changes to the GatewayClass or associated parameters are not
+         * propagated down to existing Gateways. This recommendation is intended to
+         * limit the blast radius of changes to GatewayClass or associated parameters.
+         * If implementations choose to propagate GatewayClass changes to existing
+         * Gateways, that MUST be clearly documented by the implementation.
+         *
+         * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+         * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+         * associated GatewayClass. This ensures that a GatewayClass associated with a
+         * Gateway is not deleted while in use.
+         *
+         * GatewayClass is a Cluster level resource.
+         */
+        interface GatewayClass {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"GatewayClass">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpec>;
+            status?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassStatus>;
+        }
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        interface GatewayClassSpec {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpecParametersRef>;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewayClassSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewayClassSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        interface GatewayClassSpecPatch {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpecParametersRefPatch>;
+        }
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        interface GatewayClassStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayClassStatusConditions>[]>;
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayClassStatusSupportedFeatures>[]>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayClassStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        interface GatewayClassStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        interface GatewaySpec {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAddresses>[]>;
+            allowedListeners?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListeners>;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope?: pulumi.Input<string>;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName?: pulumi.Input<string>;
+            infrastructure?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecInfrastructure>;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListeners>[]>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTls>;
+        }
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        interface GatewaySpecAddresses {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        interface GatewaySpecAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListeners {
+            namespaces?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespaces>;
+        }
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersNamespaces {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelector>;
+        }
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersNamespacesPatch {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorPatch>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersPatch {
+            namespaces?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesPatch>;
+        }
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecInfrastructure {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecInfrastructureParametersRef>;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewaySpecInfrastructureParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewaySpecInfrastructureParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecInfrastructurePatch {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecInfrastructureParametersRefPatch>;
+        }
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        interface GatewaySpecListeners {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutes>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersTls>;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKinds>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespaces>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewaySpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewaySpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelector>;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKindsPatch>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesPatch>;
+        }
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        interface GatewaySpecListenersPatch {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesPatch>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersTlsPatch>;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefs>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefsPatch>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+        }
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        interface GatewaySpecPatch {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAddressesPatch>[]>;
+            allowedListeners?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersPatch>;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope?: pulumi.Input<string>;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName?: pulumi.Input<string>;
+            infrastructure?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecInfrastructurePatch>;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersPatch>[]>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsPatch>;
+        }
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecTls {
+            backend?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsBackend>;
+            frontend?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontend>;
+        }
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackend {
+            clientCertificateRef?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRef>;
+        }
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendClientCertificateRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendClientCertificateRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendPatch {
+            clientCertificateRef?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRefPatch>;
+        }
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontend {
+            default?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefault>;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPort>[]>;
+        }
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        interface GatewaySpecTlsFrontendDefault {
+            validation?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidation>;
+        }
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultPatch {
+            validation?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationPatch>;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPatch {
+            default?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultPatch>;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortPatch>[]>;
+        }
+        interface GatewaySpecTlsFrontendPerPort {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTls>;
+        }
+        interface GatewaySpecTlsFrontendPerPortPatch {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsPatch>;
+        }
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTls {
+            validation?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidation>;
+        }
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsPatch {
+            validation?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationPatch>;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecTlsPatch {
+            backend?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsBackendPatch>;
+            frontend?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPatch>;
+        }
+        /**
+         * Status defines the current state of Gateway.
+         */
+        interface GatewayStatus {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusAddresses>[]>;
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusConditions>[]>;
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusListeners>[]>;
+        }
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        interface GatewayStatusAddresses {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface GatewayStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes?: pulumi.Input<number>;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusListenersConditions>[]>;
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusListenersSupportedKinds>[]>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewayStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRoute provides a way to route HTTP requests. This includes the capability
+         * to match requests by hostname, path, header, or query param. Filters can be
+         * used to specify additional processing steps. Backends specify where matching
+         * requests should be routed.
+         */
+        interface HTTPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"HTTPRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteStatus>;
+        }
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        interface HTTPRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface HTTPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface HTTPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        interface HTTPRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface HTTPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFilters>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatches>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            retry?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesRetry>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistence>;
+            timeouts?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesTimeouts>;
+        }
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface HTTPRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFilters>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFilters {
+            cors?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCors>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite>;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody>;
+            grpc?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc>;
+            http?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch>;
+            grpc?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch>;
+            http?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersPatch {
+            cors?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath>;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch>;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface HTTPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersPatch>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesFilters {
+            cors?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCors>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRef>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuth>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirror>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirect>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewrite>;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuth {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody>;
+            grpc?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpc>;
+            http?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttp>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch>;
+            grpc?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch>;
+            http?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesFiltersPatch {
+            cors?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCorsPatch>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRefPatch>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorPatch>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePatch>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPath>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPathPatch>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSet>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePath>;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePathPatch>;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        interface HTTPRouteSpecRulesMatches {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesHeaders>[]>;
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPath>;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParams>[]>;
+        }
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        interface HTTPRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        interface HTTPRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        interface HTTPRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesHeadersPatch>[]>;
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPathPatch>;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParamsPatch>[]>;
+        }
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        interface HTTPRouteSpecRulesMatchesPath {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        interface HTTPRouteSpecRulesMatchesPathPatch {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        interface HTTPRouteSpecRulesMatchesQueryParams {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        interface HTTPRouteSpecRulesMatchesQueryParamsPatch {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface HTTPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersPatch>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            retry?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesRetryPatch>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistencePatch>;
+            timeouts?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesTimeoutsPatch>;
+        }
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesRetry {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts?: pulumi.Input<number>;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff?: pulumi.Input<string>;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes?: pulumi.Input<pulumi.Input<number>[]>;
+        }
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesRetryPatch {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts?: pulumi.Input<number>;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff?: pulumi.Input<string>;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes?: pulumi.Input<pulumi.Input<number>[]>;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistenceCookieConfig>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesTimeouts {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest?: pulumi.Input<string>;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request?: pulumi.Input<string>;
+        }
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesTimeoutsPatch {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest?: pulumi.Input<string>;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request?: pulumi.Input<string>;
+        }
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        interface HTTPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteStatusParents>[]>;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface HTTPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteStatusParentsParentRef>;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface HTTPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface HTTPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+        /**
+         * ReferenceGrant identifies kinds of resources in other namespaces that are
+         * trusted to reference the specified kinds of resources in the same namespace
+         * as the policy.
+         *
+         * Each ReferenceGrant can be used to represent a unique trust relationship.
+         * Additional Reference Grants can be used to add to the set of trusted
+         * sources of inbound references for the namespace they are defined within.
+         *
+         * All cross-namespace references in Gateway API (with the exception of cross-namespace
+         * Gateway-route attachment) require a ReferenceGrant.
+         *
+         * ReferenceGrant is a form of runtime verification allowing users to assert
+         * which cross-namespace object references are permitted. Implementations that
+         * support ReferenceGrant MUST NOT permit cross-namespace references which have
+         * no grant, and MUST respond to the removal of a grant by revoking the access
+         * that the grant allowed.
+         */
+        interface ReferenceGrant {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"ReferenceGrant">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpec>;
+        }
+        /**
+         * Spec defines the desired state of ReferenceGrant.
+         */
+        interface ReferenceGrantSpec {
+            /**
+             * From describes the trusted namespaces and kinds that can reference the
+             * resources described in "To". Each entry in this list MUST be considered
+             * to be an additional place that references can be valid from, or to put
+             * this another way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecFrom>[]>;
+            /**
+             * To describes the resources that may be referenced by the resources
+             * described in "From". Each entry in this list MUST be considered to be an
+             * additional place that references can be valid to, or to put this another
+             * way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            to?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecTo>[]>;
+        }
+        /**
+         * ReferenceGrantFrom describes trusted namespaces and kinds.
+         */
+        interface ReferenceGrantSpecFrom {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field.
+             *
+             * When used to permit a SecretObjectReference:
+             *
+             * * Gateway
+             *
+             * When used to permit a BackendObjectReference:
+             *
+             * * GRPCRoute
+             * * HTTPRoute
+             * * TCPRoute
+             * * TLSRoute
+             * * UDPRoute
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * ReferenceGrantFrom describes trusted namespaces and kinds.
+         */
+        interface ReferenceGrantSpecFromPatch {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field.
+             *
+             * When used to permit a SecretObjectReference:
+             *
+             * * Gateway
+             *
+             * When used to permit a BackendObjectReference:
+             *
+             * * GRPCRoute
+             * * HTTPRoute
+             * * TCPRoute
+             * * TLSRoute
+             * * UDPRoute
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+        /**
+         * Spec defines the desired state of ReferenceGrant.
+         */
+        interface ReferenceGrantSpecPatch {
+            /**
+             * From describes the trusted namespaces and kinds that can reference the
+             * resources described in "To". Each entry in this list MUST be considered
+             * to be an additional place that references can be valid from, or to put
+             * this another way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecFromPatch>[]>;
+            /**
+             * To describes the resources that may be referenced by the resources
+             * described in "From". Each entry in this list MUST be considered to be an
+             * additional place that references can be valid to, or to put this another
+             * way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            to?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecToPatch>[]>;
+        }
+        /**
+         * ReferenceGrantTo describes what Kinds are allowed as targets of the
+         * references.
+         */
+        interface ReferenceGrantSpecTo {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field:
+             *
+             * * Secret when used to permit a SecretObjectReference
+             * * Service when used to permit a BackendObjectReference
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent. When unspecified, this policy
+             * refers to all resources of the specified Group and Kind in the local
+             * namespace.
+             */
+            name?: pulumi.Input<string>;
+        }
+        /**
+         * ReferenceGrantTo describes what Kinds are allowed as targets of the
+         * references.
+         */
+        interface ReferenceGrantSpecToPatch {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field:
+             *
+             * * Secret when used to permit a SecretObjectReference
+             * * Service when used to permit a BackendObjectReference
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent. When unspecified, this policy
+             * refers to all resources of the specified Group and Kind in the local
+             * namespace.
+             */
+            name?: pulumi.Input<string>;
+        }
+    }
+}
+export declare namespace meta {
+    namespace v1 {
+        /**
+         * ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
+         */
+        interface ListMeta {
+            /**
+             * continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.
+             */
+            continue?: pulumi.Input<string>;
+            /**
+             * remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.
+             */
+            remainingItemCount?: pulumi.Input<number>;
+            /**
+             * String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion?: pulumi.Input<string>;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink?: pulumi.Input<string>;
+        }
+        /**
+         * ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.
+         */
+        interface ManagedFieldsEntry {
+            /**
+             * APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.
+             */
+            apiVersion?: pulumi.Input<string>;
+            /**
+             * FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"
+             */
+            fieldsType?: pulumi.Input<string>;
+            /**
+             * FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+             */
+            fieldsV1?: any;
+            /**
+             * Manager is an identifier of the workflow managing these fields.
+             */
+            manager?: pulumi.Input<string>;
+            /**
+             * Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.
+             */
+            operation?: pulumi.Input<string>;
+            /**
+             * Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.
+             */
+            subresource?: pulumi.Input<string>;
+            /**
+             * Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.
+             */
+            time?: pulumi.Input<string>;
+        }
+        /**
+         * ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.
+         */
+        interface ManagedFieldsEntryPatch {
+            /**
+             * APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.
+             */
+            apiVersion?: pulumi.Input<string>;
+            /**
+             * FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"
+             */
+            fieldsType?: pulumi.Input<string>;
+            /**
+             * FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+             */
+            fieldsV1?: any;
+            /**
+             * Manager is an identifier of the workflow managing these fields.
+             */
+            manager?: pulumi.Input<string>;
+            /**
+             * Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.
+             */
+            operation?: pulumi.Input<string>;
+            /**
+             * Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.
+             */
+            subresource?: pulumi.Input<string>;
+            /**
+             * Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.
+             */
+            time?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
+         */
+        interface ObjectMeta {
+            /**
+             * Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+             *
+             * Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            creationTimestamp?: pulumi.Input<string>;
+            /**
+             * Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
+             */
+            deletionGracePeriodSeconds?: pulumi.Input<number>;
+            /**
+             * DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+             *
+             * Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            deletionTimestamp?: pulumi.Input<string>;
+            /**
+             * Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
+             */
+            finalizers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+             *
+             * If this field is specified and the generated name exists, the server will return a 409.
+             *
+             * Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+             */
+            generateName?: pulumi.Input<string>;
+            /**
+             * A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
+             */
+            generation?: pulumi.Input<number>;
+            /**
+             * Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+             */
+            managedFields?: pulumi.Input<pulumi.Input<inputs.meta.v1.ManagedFieldsEntry>[]>;
+            /**
+             * Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+             *
+             * Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
+             */
+            ownerReferences?: pulumi.Input<pulumi.Input<inputs.meta.v1.OwnerReference>[]>;
+            /**
+             * An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+             *
+             * Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion?: pulumi.Input<string>;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink?: pulumi.Input<string>;
+            /**
+             * UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+             *
+             * Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid?: pulumi.Input<string>;
+        }
+        /**
+         * ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
+         */
+        interface ObjectMetaPatch {
+            /**
+             * Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+             */
+            annotations?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+             *
+             * Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            creationTimestamp?: pulumi.Input<string>;
+            /**
+             * Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
+             */
+            deletionGracePeriodSeconds?: pulumi.Input<number>;
+            /**
+             * DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+             *
+             * Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            deletionTimestamp?: pulumi.Input<string>;
+            /**
+             * Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
+             */
+            finalizers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+             *
+             * If this field is specified and the generated name exists, the server will return a 409.
+             *
+             * Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+             */
+            generateName?: pulumi.Input<string>;
+            /**
+             * A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
+             */
+            generation?: pulumi.Input<number>;
+            /**
+             * Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+             */
+            labels?: pulumi.Input<{
+                [key: string]: pulumi.Input<string>;
+            }>;
+            /**
+             * ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+             */
+            managedFields?: pulumi.Input<pulumi.Input<inputs.meta.v1.ManagedFieldsEntryPatch>[]>;
+            /**
+             * Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+             *
+             * Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
+             */
+            ownerReferences?: pulumi.Input<pulumi.Input<inputs.meta.v1.OwnerReferencePatch>[]>;
+            /**
+             * An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+             *
+             * Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion?: pulumi.Input<string>;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink?: pulumi.Input<string>;
+            /**
+             * UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+             *
+             * Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid?: pulumi.Input<string>;
+        }
+        /**
+         * OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.
+         */
+        interface OwnerReference {
+            /**
+             * API version of the referent.
+             */
+            apiVersion: pulumi.Input<string>;
+            /**
+             * If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.
+             */
+            blockOwnerDeletion?: pulumi.Input<boolean>;
+            /**
+             * If true, this reference points to the managing controller.
+             */
+            controller?: pulumi.Input<boolean>;
+            /**
+             * Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: pulumi.Input<string>;
+            /**
+             * Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: pulumi.Input<string>;
+            /**
+             * UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: pulumi.Input<string>;
+        }
+        /**
+         * OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.
+         */
+        interface OwnerReferencePatch {
+            /**
+             * API version of the referent.
+             */
+            apiVersion?: pulumi.Input<string>;
+            /**
+             * If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.
+             */
+            blockOwnerDeletion?: pulumi.Input<boolean>;
+            /**
+             * If true, this reference points to the managing controller.
+             */
+            controller?: pulumi.Input<boolean>;
+            /**
+             * Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid?: pulumi.Input<string>;
+        }
+    }
+}
diff --git a/generated/crds/types/input.js b/generated/crds/types/input.js
new file mode 100644
index 0000000..9d50076
--- /dev/null
+++ b/generated/crds/types/input.js
@@ -0,0 +1,4 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
diff --git a/generated/crds/types/input.ts b/generated/crds/types/input.ts
new file mode 100644
index 0000000..5f9c5c8
--- /dev/null
+++ b/generated/crds/types/input.ts
@@ -0,0 +1,49243 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+
+export namespace acme {
+    export namespace v1 {
+        /**
+         * Challenge is a type to represent a Challenge request with an ACME server
+         */
+        export interface Challenge {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Challenge">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpec>;
+            status?: pulumi.Input<inputs.acme.v1.ChallengeStatus>;
+        }
+
+        export interface ChallengeSpec {
+            /**
+             * The URL to the ACME Authorization resource that this
+             * challenge is a part of.
+             */
+            authorizationURL?: pulumi.Input<string>;
+            /**
+             * dnsName is the identifier that this challenge is for, e.g., example.com.
+             * If the requested DNSName is a 'wildcard', this field MUST be set to the
+             * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
+             */
+            dnsName?: pulumi.Input<string>;
+            issuerRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecIssuerRef>;
+            /**
+             * The ACME challenge key for this challenge
+             * For HTTP01 challenges, this is the value that must be responded with to
+             * complete the HTTP01 challenge in the format:
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`.
+             * For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`
+             * text that must be set as the TXT record content.
+             */
+            key?: pulumi.Input<string>;
+            solver?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolver>;
+            /**
+             * The ACME challenge token for this challenge.
+             * This is the raw value returned from the ACME server.
+             */
+            token?: pulumi.Input<string>;
+            /**
+             * The type of ACME challenge this resource represents.
+             * One of "HTTP-01" or "DNS-01".
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * The URL of the ACME Challenge resource for this challenge.
+             * This can be used to lookup details about the status of this challenge.
+             */
+            url?: pulumi.Input<string>;
+            /**
+             * wildcard will be true if this challenge is for a wildcard identifier,
+             * for example '*.example.com'.
+             */
+            wildcard?: pulumi.Input<boolean>;
+        }
+
+        /**
+         * References a properly configured ACME-type Issuer which should
+         * be used to create this Challenge.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Challenge will be marked as failed.
+         */
+        export interface ChallengeSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * References a properly configured ACME-type Issuer which should
+         * be used to create this Challenge.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Challenge will be marked as failed.
+         */
+        export interface ChallengeSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        export interface ChallengeSpecPatch {
+            /**
+             * The URL to the ACME Authorization resource that this
+             * challenge is a part of.
+             */
+            authorizationURL?: pulumi.Input<string>;
+            /**
+             * dnsName is the identifier that this challenge is for, e.g., example.com.
+             * If the requested DNSName is a 'wildcard', this field MUST be set to the
+             * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
+             */
+            dnsName?: pulumi.Input<string>;
+            issuerRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecIssuerRefPatch>;
+            /**
+             * The ACME challenge key for this challenge
+             * For HTTP01 challenges, this is the value that must be responded with to
+             * complete the HTTP01 challenge in the format:
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`.
+             * For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`
+             * text that must be set as the TXT record content.
+             */
+            key?: pulumi.Input<string>;
+            solver?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverPatch>;
+            /**
+             * The ACME challenge token for this challenge.
+             * This is the raw value returned from the ACME server.
+             */
+            token?: pulumi.Input<string>;
+            /**
+             * The type of ACME challenge this resource represents.
+             * One of "HTTP-01" or "DNS-01".
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * The URL of the ACME Challenge resource for this challenge.
+             * This can be used to lookup details about the status of this challenge.
+             */
+            url?: pulumi.Input<string>;
+            /**
+             * wildcard will be true if this challenge is for a wildcard identifier,
+             * for example '*.example.com'.
+             */
+            wildcard?: pulumi.Input<boolean>;
+        }
+
+        /**
+         * Contains the domain solving configuration that should be used to
+         * solve this challenge resource.
+         */
+        export interface ChallengeSpecSolver {
+            dns01?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01>;
+            http01?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01>;
+            selector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverSelector>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface ChallengeSpecSolverDns01 {
+            acmeDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AcmeDNS>;
+            akamai?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Akamai>;
+            azureDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNS>;
+            cloudDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudDNS>;
+            cloudflare?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Cloudflare>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Digitalocean>;
+            rfc2136?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Rfc2136>;
+            route53?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53>;
+            webhook?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Webhook>;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AcmeDNS {
+            accountSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSAccountSecretRef>;
+            host?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AcmeDNSPatch {
+            accountSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSAccountSecretRefPatch>;
+            host?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Akamai {
+            accessTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiAccessTokenSecretRef>;
+            clientSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientSecretSecretRef>;
+            clientTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientTokenSecretRef>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiPatch {
+            accessTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiAccessTokenSecretRefPatch>;
+            clientSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientSecretSecretRefPatch>;
+            clientTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientTokenSecretRefPatch>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSClientSecretSecretRef>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSManagedIdentity>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSClientSecretSecretRefPatch>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRef>;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRefPatch>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Cloudflare {
+            apiKeySecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiKeySecretRef>;
+            apiTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiTokenSecretRef>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface ChallengeSpecSolverDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface ChallengeSpecSolverDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface ChallengeSpecSolverDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface ChallengeSpecSolverDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01CloudflarePatch {
+            apiKeySecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiKeySecretRefPatch>;
+            apiTokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiTokenSecretRefPatch>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Digitalocean {
+            tokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanTokenSecretRef>;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01DigitaloceanPatch {
+            tokenSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanTokenSecretRefPatch>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface ChallengeSpecSolverDns01Patch {
+            acmeDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSPatch>;
+            akamai?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AkamaiPatch>;
+            azureDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01AzureDNSPatch>;
+            cloudDNS?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudDNSPatch>;
+            cloudflare?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01CloudflarePatch>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanPatch>;
+            rfc2136?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Rfc2136Patch>;
+            route53?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53Patch>;
+            webhook?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01WebhookPatch>;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRef>;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRefPatch>;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef>;
+            auth?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53Auth>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53SecretAccessKeySecretRef>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface ChallengeSpecSolverDns01Route53Auth {
+            kubernetes?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetes>;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthKubernetes {
+            serviceAccountRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRef>;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthKubernetesPatch {
+            serviceAccountRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRefPatch>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthPatch {
+            kubernetes?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesPatch>;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch>;
+            auth?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53AuthPatch>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Route53SecretAccessKeySecretRefPatch>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ChallengeSpecSolverDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ChallengeSpecSolverDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{[key: string]: any}>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{[key: string]: any}>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface ChallengeSpecSolverHttp01 {
+            gatewayHTTPRoute?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoute>;
+            ingress?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01Ingress>;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs>[]>;
+            podTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch>[]>;
+            podTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls>[]>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface ChallengeSpecSolverHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplate>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01IngressIngressTemplate {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplateMetadata>;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01IngressIngressTemplatePatch {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplateMetadataPatch>;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplatePatch>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplate {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpec>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplatePatch {
+            metadata?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecPatch>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpec {
+            affinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerations>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinity>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls>[]>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface ChallengeSpecSolverHttp01Patch {
+            gatewayHTTPRoute?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePatch>;
+            ingress?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01IngressPatch>;
+        }
+
+        /**
+         * Contains the domain solving configuration that should be used to
+         * solve this challenge resource.
+         */
+        export interface ChallengeSpecSolverPatch {
+            dns01?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverDns01Patch>;
+            http01?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverHttp01Patch>;
+            selector?: pulumi.Input<inputs.acme.v1.ChallengeSpecSolverSelectorPatch>;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface ChallengeSpecSolverSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface ChallengeSpecSolverSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        export interface ChallengeStatus {
+            /**
+             * presented will be set to true if the challenge values for this challenge
+             * are currently 'presented'.
+             * This *does not* imply the self check is passing. Only that the values
+             * have been 'submitted' for the appropriate challenge mechanism (i.e. the
+             * DNS01 TXT record has been presented, or the HTTP01 configuration has been
+             * configured).
+             */
+            presented?: pulumi.Input<boolean>;
+            /**
+             * Used to denote whether this challenge should be processed or not.
+             * This field will only be set to true by the 'scheduling' component.
+             * It will only be set to false by the 'challenges' controller, after the
+             * challenge has reached a final state or timed out.
+             * If this field is set to false, the challenge controller will not take
+             * any more action.
+             */
+            processing?: pulumi.Input<boolean>;
+            /**
+             * Contains human readable information on why the Challenge is in the
+             * current state.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Contains the current 'state' of the challenge.
+             * If not set, the state of the challenge is unknown.
+             */
+            state?: pulumi.Input<string>;
+        }
+
+        /**
+         * Order is a type to represent an Order with an ACME server
+         */
+        export interface Order {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"acme.cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Order">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.acme.v1.OrderSpec>;
+            status?: pulumi.Input<inputs.acme.v1.OrderStatus>;
+        }
+
+        export interface OrderSpec {
+            /**
+             * CommonName is the common name as specified on the DER encoded CSR.
+             * If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            commonName?: pulumi.Input<string>;
+            /**
+             * DNSNames is a list of DNS names that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Duration is the duration for the not after date for the requested certificate.
+             * this is set on order creation as pe the ACME spec.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * IPAddresses is a list of IP addresses that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            ipAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            issuerRef?: pulumi.Input<inputs.acme.v1.OrderSpecIssuerRef>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Certificate signing request bytes in DER encoding.
+             * This will be used when finalizing the order.
+             * This field must be set on the order.
+             */
+            request?: pulumi.Input<string>;
+        }
+
+        /**
+         * IssuerRef references a properly configured ACME-type Issuer which should
+         * be used to create this Order.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Order will be marked as failed.
+         */
+        export interface OrderSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * IssuerRef references a properly configured ACME-type Issuer which should
+         * be used to create this Order.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Order will be marked as failed.
+         */
+        export interface OrderSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        export interface OrderSpecPatch {
+            /**
+             * CommonName is the common name as specified on the DER encoded CSR.
+             * If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            commonName?: pulumi.Input<string>;
+            /**
+             * DNSNames is a list of DNS names that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Duration is the duration for the not after date for the requested certificate.
+             * this is set on order creation as pe the ACME spec.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * IPAddresses is a list of IP addresses that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            ipAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            issuerRef?: pulumi.Input<inputs.acme.v1.OrderSpecIssuerRefPatch>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Certificate signing request bytes in DER encoding.
+             * This will be used when finalizing the order.
+             * This field must be set on the order.
+             */
+            request?: pulumi.Input<string>;
+        }
+
+        export interface OrderStatus {
+            /**
+             * Authorizations contains data returned from the ACME server on what
+             * authorizations must be completed in order to validate the DNS names
+             * specified on the Order.
+             */
+            authorizations?: pulumi.Input<pulumi.Input<inputs.acme.v1.OrderStatusAuthorizations>[]>;
+            /**
+             * Certificate is a copy of the PEM encoded certificate for this Order.
+             * This field will be populated after the order has been successfully
+             * finalized with the ACME server, and the order has transitioned to the
+             * 'valid' state.
+             */
+            certificate?: pulumi.Input<string>;
+            /**
+             * FailureTime stores the time that this order failed.
+             * This is used to influence garbage collection and back-off.
+             */
+            failureTime?: pulumi.Input<string>;
+            /**
+             * FinalizeURL of the Order.
+             * This is used to obtain certificates for this order once it has been completed.
+             */
+            finalizeURL?: pulumi.Input<string>;
+            /**
+             * Reason optionally provides more information about a why the order is in
+             * the current state.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * State contains the current state of this Order resource.
+             * States 'success' and 'expired' are 'final'
+             */
+            state?: pulumi.Input<string>;
+            /**
+             * URL of the Order.
+             * This will initially be empty when the resource is first created.
+             * The Order controller will populate this field when the Order is first processed.
+             * This field will be immutable after it is initially set.
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * ACMEAuthorization contains data returned from the ACME server on an
+         * authorization that must be completed in order validate a DNS name on an ACME
+         * Order resource.
+         */
+        export interface OrderStatusAuthorizations {
+            /**
+             * Challenges specifies the challenge types offered by the ACME server.
+             * One of these challenge types will be selected when validating the DNS
+             * name and an appropriate Challenge resource will be created to perform
+             * the ACME challenge process.
+             */
+            challenges?: pulumi.Input<pulumi.Input<inputs.acme.v1.OrderStatusAuthorizationsChallenges>[]>;
+            /**
+             * Identifier is the DNS name to be validated as part of this authorization
+             */
+            identifier?: pulumi.Input<string>;
+            /**
+             * InitialState is the initial state of the ACME authorization when first
+             * fetched from the ACME server.
+             * If an Authorization is already 'valid', the Order controller will not
+             * create a Challenge resource for the authorization. This will occur when
+             * working with an ACME server that enables 'authz reuse' (such as Let's
+             * Encrypt's production endpoint).
+             * If not set and 'identifier' is set, the state is assumed to be pending
+             * and a Challenge will be created.
+             */
+            initialState?: pulumi.Input<string>;
+            /**
+             * URL is the URL of the Authorization that must be completed
+             */
+            url?: pulumi.Input<string>;
+            /**
+             * Wildcard will be true if this authorization is for a wildcard DNS name.
+             * If this is true, the identifier will be the *non-wildcard* version of
+             * the DNS name.
+             * For example, if '*.example.com' is the DNS name being validated, this
+             * field will be 'true' and the 'identifier' field will be 'example.com'.
+             */
+            wildcard?: pulumi.Input<boolean>;
+        }
+
+        /**
+         * Challenge specifies a challenge offered by the ACME server for an Order.
+         * An appropriate Challenge resource can be created to perform the ACME
+         * challenge process.
+         */
+        export interface OrderStatusAuthorizationsChallenges {
+            /**
+             * Token is the token that must be presented for this challenge.
+             * This is used to compute the 'key' that must also be presented.
+             */
+            token?: pulumi.Input<string>;
+            /**
+             * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01',
+             * 'tls-sni-01', etc.
+             * This is the raw value retrieved from the ACME server.
+             * Only 'http-01' and 'dns-01' are supported by cert-manager, other values
+             * will be ignored.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URL is the URL of this challenge. It can be used to retrieve additional
+             * metadata about the Challenge from the ACME server.
+             */
+            url?: pulumi.Input<string>;
+        }
+
+    }
+}
+
+export namespace cert_manager {
+    export namespace v1 {
+        /**
+         * A Certificate resource should be created to ensure an up to date and signed
+         * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+         *
+         * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+         */
+        export interface Certificate {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Certificate">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.CertificateSpec>;
+            status?: pulumi.Input<inputs.cert_manager.v1.CertificateStatus>;
+        }
+
+        /**
+         * A CertificateRequest is used to request a signed certificate from one of the
+         * configured issuers.
+         *
+         * All fields within the CertificateRequest's `spec` are immutable after creation.
+         * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+         * condition and its `status.failureTime` field.
+         *
+         * A CertificateRequest is a one-shot resource, meaning it represents a single
+         * point in time request for a certificate and cannot be re-used.
+         */
+        export interface CertificateRequest {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"CertificateRequest">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpec>;
+            status?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestStatus>;
+        }
+
+        /**
+         * Specification of the desired state of the CertificateRequest resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateRequestSpec {
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * Extra contains extra attributes of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            extra?: pulumi.Input<{[key: string]: pulumi.Input<pulumi.Input<string>[]>}>;
+            /**
+             * Groups contains group membership of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            groups?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested basic constraints isCA value. Note that the issuer may choose
+             * to ignore the requested isCA value, just like any other requested attribute.
+             *
+             * NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+             * it must have the same isCA value as specified here.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA?: pulumi.Input<boolean>;
+            issuerRef?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpecIssuerRef>;
+            /**
+             * The PEM-encoded X.509 certificate signing request to be submitted to the
+             * issuer for signing.
+             *
+             * If the CSR has a BasicConstraints extension, its isCA attribute must
+             * match the `isCA` value of this CertificateRequest.
+             * If the CSR has a KeyUsage extension, its key usages must match the
+             * key usages in the `usages` field of this CertificateRequest.
+             * If the CSR has a ExtKeyUsage extension, its extended key usages
+             * must match the extended key usages in the `usages` field of this
+             * CertificateRequest.
+             */
+            request?: pulumi.Input<string>;
+            /**
+             * UID contains the uid of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            uid?: pulumi.Input<string>;
+            /**
+             * Requested key usages and extended key usages.
+             *
+             * NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+             * ExtKeyUsage extension, these extensions must have the same values
+             * as specified here without any additional values.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Username contains the name of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            username?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        export interface CertificateRequestSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        export interface CertificateRequestSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Specification of the desired state of the CertificateRequest resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateRequestSpecPatch {
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * Extra contains extra attributes of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            extra?: pulumi.Input<{[key: string]: pulumi.Input<pulumi.Input<string>[]>}>;
+            /**
+             * Groups contains group membership of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            groups?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested basic constraints isCA value. Note that the issuer may choose
+             * to ignore the requested isCA value, just like any other requested attribute.
+             *
+             * NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+             * it must have the same isCA value as specified here.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA?: pulumi.Input<boolean>;
+            issuerRef?: pulumi.Input<inputs.cert_manager.v1.CertificateRequestSpecIssuerRefPatch>;
+            /**
+             * The PEM-encoded X.509 certificate signing request to be submitted to the
+             * issuer for signing.
+             *
+             * If the CSR has a BasicConstraints extension, its isCA attribute must
+             * match the `isCA` value of this CertificateRequest.
+             * If the CSR has a KeyUsage extension, its key usages must match the
+             * key usages in the `usages` field of this CertificateRequest.
+             * If the CSR has a ExtKeyUsage extension, its extended key usages
+             * must match the extended key usages in the `usages` field of this
+             * CertificateRequest.
+             */
+            request?: pulumi.Input<string>;
+            /**
+             * UID contains the uid of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            uid?: pulumi.Input<string>;
+            /**
+             * Requested key usages and extended key usages.
+             *
+             * NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+             * ExtKeyUsage extension, these extensions must have the same values
+             * as specified here without any additional values.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Username contains the name of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            username?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status of the CertificateRequest.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateRequestStatus {
+            /**
+             * The PEM encoded X.509 certificate of the signer, also known as the CA
+             * (Certificate Authority).
+             * This is set on a best-effort basis by different issuers.
+             * If not set, the CA is assumed to be unknown/not available.
+             */
+            ca?: pulumi.Input<string>;
+            /**
+             * The PEM encoded X.509 certificate resulting from the certificate
+             * signing request.
+             * If not set, the CertificateRequest has either not been completed or has
+             * failed. More information on failure can be found by checking the
+             * `conditions` field.
+             */
+            certificate?: pulumi.Input<string>;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateRequestStatusConditions>[]>;
+            /**
+             * FailureTime stores the time that this CertificateRequest failed. This is
+             * used to influence garbage collection and back-off.
+             */
+            failureTime?: pulumi.Input<string>;
+        }
+
+        /**
+         * CertificateRequestCondition contains condition information for a CertificateRequest.
+         */
+        export interface CertificateRequestStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * Type of the condition, known values are (`Ready`, `InvalidRequest`,
+             * `Approved`, `Denied`).
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Specification of the desired state of the Certificate resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateSpec {
+            /**
+             * Defines extra output formats of the private key and signed certificate chain
+             * to be written to this Certificate's target Secret.
+             */
+            additionalOutputFormats?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateSpecAdditionalOutputFormats>[]>;
+            /**
+             * Requested common name X509 certificate subject attribute.
+             * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+             * NOTE: TLS clients will ignore this value when any subject alternative name is
+             * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+             *
+             * Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+             * Cannot be set if the `literalSubject` field is set.
+             */
+            commonName?: pulumi.Input<string>;
+            /**
+             * Requested DNS subject alternative names.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             *
+             * If unset, this defaults to 90 days.
+             * Minimum accepted duration is 1 hour.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * Requested email subject alternative names.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+             *
+             * This option defaults to true, and should only be disabled if the target
+             * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+             */
+            encodeUsagesInRequest?: pulumi.Input<boolean>;
+            /**
+             * Requested IP address subject alternative names.
+             */
+            ipAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested basic constraints isCA value.
+             * The isCA value is used to set the `isCA` field on the created CertificateRequest
+             * resources. Note that the issuer may choose to ignore the requested isCA value, just
+             * like any other requested attribute.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA?: pulumi.Input<boolean>;
+            issuerRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecIssuerRef>;
+            keystores?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystores>;
+            /**
+             * Requested X.509 certificate subject, represented using the LDAP "String
+             * Representation of a Distinguished Name" [1].
+             * Important: the LDAP string format also specifies the order of the attributes
+             * in the subject, this is important when issuing certs for LDAP authentication.
+             * Example: `CN=foo,DC=corp,DC=example,DC=com`
+             * More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+             * More info: https://github.com/cert-manager/cert-manager/issues/3203
+             * More info: https://github.com/cert-manager/cert-manager/issues/4424
+             *
+             * Cannot be set if the `subject` or `commonName` field is set.
+             */
+            literalSubject?: pulumi.Input<string>;
+            nameConstraints?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraints>;
+            /**
+             * `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+             * Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+             * Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+             * You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+             */
+            otherNames?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateSpecOtherNames>[]>;
+            privateKey?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecPrivateKey>;
+            /**
+             * How long before the currently issued certificate's expiry cert-manager should
+             * renew the certificate. For example, if a certificate is valid for 60 minutes,
+             * and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+             * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+             * the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * If unset, this defaults to 1/3 of the issued certificate's lifetime.
+             * Minimum accepted value is 5 minutes.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             * Cannot be set if the `renewBeforePercentage` field is set.
+             */
+            renewBefore?: pulumi.Input<string>;
+            /**
+             * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+             * rather than an absolute duration. For example, if a certificate is valid for 60
+             * minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+             * renew the certificate 45 minutes after it was issued (i.e. when there are 15
+             * minutes (25%) remaining until the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * Value must be an integer in the range (0,100). The minimum effective
+             * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+             * minutes.
+             * Cannot be set if the `renewBefore` field is set.
+             */
+            renewBeforePercentage?: pulumi.Input<number>;
+            /**
+             * The maximum number of CertificateRequest revisions that are maintained in
+             * the Certificate's history. Each revision represents a single `CertificateRequest`
+             * created by this Certificate, either when it was created, renewed, or Spec
+             * was changed. Revisions will be removed by oldest first if the number of
+             * revisions exceeds this number.
+             *
+             * If set, revisionHistoryLimit must be a value of `1` or greater.
+             * Default value is `1`.
+             */
+            revisionHistoryLimit?: pulumi.Input<number>;
+            /**
+             * Name of the Secret resource that will be automatically created and
+             * managed by this Certificate resource. It will be populated with a
+             * private key and certificate, signed by the denoted issuer. The Secret
+             * resource lives in the same namespace as the Certificate resource.
+             */
+            secretName?: pulumi.Input<string>;
+            secretTemplate?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecSecretTemplate>;
+            /**
+             * Signature algorithm to use.
+             * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+             * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+             * Allowed values for Ed25519 keys: PureEd25519.
+             */
+            signatureAlgorithm?: pulumi.Input<string>;
+            subject?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecSubject>;
+            /**
+             * Requested URI subject alternative names.
+             */
+            uris?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested key usages and extended key usages.
+             * These usages are used to set the `usages` field on the created CertificateRequest
+             * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+             * will additionally be encoded in the `request` field which contains the CSR blob.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * CertificateAdditionalOutputFormat defines an additional output format of a
+         * Certificate resource. These contain supplementary data formats of the signed
+         * certificate chain and paired private key.
+         */
+        export interface CertificateSpecAdditionalOutputFormats {
+            /**
+             * Type is the name of the format type that should be written to the
+             * Certificate's target Secret.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * CertificateAdditionalOutputFormat defines an additional output format of a
+         * Certificate resource. These contain supplementary data formats of the signed
+         * certificate chain and paired private key.
+         */
+        export interface CertificateSpecAdditionalOutputFormatsPatch {
+            /**
+             * Type is the name of the format type that should be written to the
+             * Certificate's target Secret.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        export interface CertificateSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        export interface CertificateSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Additional keystore output formats to be stored in the Certificate's Secret.
+         */
+        export interface CertificateSpecKeystores {
+            jks?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresJks>;
+            pkcs12?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPkcs12>;
+        }
+
+        /**
+         * JKS configures options for storing a JKS keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        export interface CertificateSpecKeystoresJks {
+            /**
+             * Alias specifies the alias of the key in the keystore, required by the JKS format.
+             * If not provided, the default alias `certificate` will be used.
+             */
+            alias?: pulumi.Input<string>;
+            /**
+             * Create enables JKS keystore creation for the Certificate.
+             * If true, a file named `keystore.jks` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.jks`
+             * will also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef`
+             * containing the issuing Certificate Authority
+             */
+            create?: pulumi.Input<boolean>;
+            /**
+             * Password provides a literal password used to encrypt the JKS keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password?: pulumi.Input<string>;
+            passwordSecretRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRef>;
+        }
+
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the JKS keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        export interface CertificateSpecKeystoresJksPasswordSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the JKS keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        export interface CertificateSpecKeystoresJksPasswordSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * JKS configures options for storing a JKS keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        export interface CertificateSpecKeystoresJksPatch {
+            /**
+             * Alias specifies the alias of the key in the keystore, required by the JKS format.
+             * If not provided, the default alias `certificate` will be used.
+             */
+            alias?: pulumi.Input<string>;
+            /**
+             * Create enables JKS keystore creation for the Certificate.
+             * If true, a file named `keystore.jks` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.jks`
+             * will also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef`
+             * containing the issuing Certificate Authority
+             */
+            create?: pulumi.Input<boolean>;
+            /**
+             * Password provides a literal password used to encrypt the JKS keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password?: pulumi.Input<string>;
+            passwordSecretRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRefPatch>;
+        }
+
+        /**
+         * Additional keystore output formats to be stored in the Certificate's Secret.
+         */
+        export interface CertificateSpecKeystoresPatch {
+            jks?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresJksPatch>;
+            pkcs12?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPkcs12Patch>;
+        }
+
+        /**
+         * PKCS12 configures options for storing a PKCS12 keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        export interface CertificateSpecKeystoresPkcs12 {
+            /**
+             * Create enables PKCS12 keystore creation for the Certificate.
+             * If true, a file named `keystore.p12` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or in `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.p12` will
+             * also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef` containing the issuing Certificate
+             * Authority
+             */
+            create?: pulumi.Input<boolean>;
+            /**
+             * Password provides a literal password used to encrypt the PKCS#12 keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password?: pulumi.Input<string>;
+            passwordSecretRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRef>;
+            /**
+             * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+             * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+             *
+             * If provided, allowed values are:
+             * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+             * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+             * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+             * (e.g., because of company policy). Please note that the security of the algorithm is not that important
+             * in reality, because the unencrypted certificate and private key are also stored in the Secret.
+             */
+            profile?: pulumi.Input<string>;
+        }
+
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the PKCS#12 keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        export interface CertificateSpecKeystoresPkcs12PasswordSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the PKCS#12 keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        export interface CertificateSpecKeystoresPkcs12PasswordSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PKCS12 configures options for storing a PKCS12 keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        export interface CertificateSpecKeystoresPkcs12Patch {
+            /**
+             * Create enables PKCS12 keystore creation for the Certificate.
+             * If true, a file named `keystore.p12` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or in `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.p12` will
+             * also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef` containing the issuing Certificate
+             * Authority
+             */
+            create?: pulumi.Input<boolean>;
+            /**
+             * Password provides a literal password used to encrypt the PKCS#12 keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password?: pulumi.Input<string>;
+            passwordSecretRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRefPatch>;
+            /**
+             * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+             * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+             *
+             * If provided, allowed values are:
+             * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+             * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+             * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+             * (e.g., because of company policy). Please note that the security of the algorithm is not that important
+             * in reality, because the unencrypted certificate and private key are also stored in the Secret.
+             */
+            profile?: pulumi.Input<string>;
+        }
+
+        /**
+         * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+         * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+         *
+         * This is an Alpha Feature and is only enabled with the
+         * `--feature-gates=NameConstraints=true` option set on both
+         * the controller and webhook components.
+         */
+        export interface CertificateSpecNameConstraints {
+            /**
+             * if true then the name constraints are marked critical.
+             */
+            critical?: pulumi.Input<boolean>;
+            excluded?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsExcluded>;
+            permitted?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsPermitted>;
+        }
+
+        /**
+         * Excluded contains the constraints which must be disallowed. Any name matching a
+         * restriction in the excluded field is invalid regardless
+         * of information appearing in the permitted
+         */
+        export interface CertificateSpecNameConstraintsExcluded {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Excluded contains the constraints which must be disallowed. Any name matching a
+         * restriction in the excluded field is invalid regardless
+         * of information appearing in the permitted
+         */
+        export interface CertificateSpecNameConstraintsExcludedPatch {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+         * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+         *
+         * This is an Alpha Feature and is only enabled with the
+         * `--feature-gates=NameConstraints=true` option set on both
+         * the controller and webhook components.
+         */
+        export interface CertificateSpecNameConstraintsPatch {
+            /**
+             * if true then the name constraints are marked critical.
+             */
+            critical?: pulumi.Input<boolean>;
+            excluded?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsExcludedPatch>;
+            permitted?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsPermittedPatch>;
+        }
+
+        /**
+         * Permitted contains the constraints in which the names must be located.
+         */
+        export interface CertificateSpecNameConstraintsPermitted {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Permitted contains the constraints in which the names must be located.
+         */
+        export interface CertificateSpecNameConstraintsPermittedPatch {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        export interface CertificateSpecOtherNames {
+            /**
+             * OID is the object identifier for the otherName SAN.
+             * The object identifier must be expressed as a dotted string, for
+             * example, "1.2.840.113556.1.4.221".
+             */
+            oid?: pulumi.Input<string>;
+            /**
+             * utf8Value is the string value of the otherName SAN.
+             * The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+             */
+            utf8Value?: pulumi.Input<string>;
+        }
+
+        export interface CertificateSpecOtherNamesPatch {
+            /**
+             * OID is the object identifier for the otherName SAN.
+             * The object identifier must be expressed as a dotted string, for
+             * example, "1.2.840.113556.1.4.221".
+             */
+            oid?: pulumi.Input<string>;
+            /**
+             * utf8Value is the string value of the otherName SAN.
+             * The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+             */
+            utf8Value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Specification of the desired state of the Certificate resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateSpecPatch {
+            /**
+             * Defines extra output formats of the private key and signed certificate chain
+             * to be written to this Certificate's target Secret.
+             */
+            additionalOutputFormats?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateSpecAdditionalOutputFormatsPatch>[]>;
+            /**
+             * Requested common name X509 certificate subject attribute.
+             * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+             * NOTE: TLS clients will ignore this value when any subject alternative name is
+             * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+             *
+             * Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+             * Cannot be set if the `literalSubject` field is set.
+             */
+            commonName?: pulumi.Input<string>;
+            /**
+             * Requested DNS subject alternative names.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             *
+             * If unset, this defaults to 90 days.
+             * Minimum accepted duration is 1 hour.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             */
+            duration?: pulumi.Input<string>;
+            /**
+             * Requested email subject alternative names.
+             */
+            emailAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+             *
+             * This option defaults to true, and should only be disabled if the target
+             * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+             */
+            encodeUsagesInRequest?: pulumi.Input<boolean>;
+            /**
+             * Requested IP address subject alternative names.
+             */
+            ipAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested basic constraints isCA value.
+             * The isCA value is used to set the `isCA` field on the created CertificateRequest
+             * resources. Note that the issuer may choose to ignore the requested isCA value, just
+             * like any other requested attribute.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA?: pulumi.Input<boolean>;
+            issuerRef?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecIssuerRefPatch>;
+            keystores?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecKeystoresPatch>;
+            /**
+             * Requested X.509 certificate subject, represented using the LDAP "String
+             * Representation of a Distinguished Name" [1].
+             * Important: the LDAP string format also specifies the order of the attributes
+             * in the subject, this is important when issuing certs for LDAP authentication.
+             * Example: `CN=foo,DC=corp,DC=example,DC=com`
+             * More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+             * More info: https://github.com/cert-manager/cert-manager/issues/3203
+             * More info: https://github.com/cert-manager/cert-manager/issues/4424
+             *
+             * Cannot be set if the `subject` or `commonName` field is set.
+             */
+            literalSubject?: pulumi.Input<string>;
+            nameConstraints?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecNameConstraintsPatch>;
+            /**
+             * `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+             * Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+             * Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+             * You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+             */
+            otherNames?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateSpecOtherNamesPatch>[]>;
+            privateKey?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecPrivateKeyPatch>;
+            /**
+             * How long before the currently issued certificate's expiry cert-manager should
+             * renew the certificate. For example, if a certificate is valid for 60 minutes,
+             * and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+             * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+             * the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * If unset, this defaults to 1/3 of the issued certificate's lifetime.
+             * Minimum accepted value is 5 minutes.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             * Cannot be set if the `renewBeforePercentage` field is set.
+             */
+            renewBefore?: pulumi.Input<string>;
+            /**
+             * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+             * rather than an absolute duration. For example, if a certificate is valid for 60
+             * minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+             * renew the certificate 45 minutes after it was issued (i.e. when there are 15
+             * minutes (25%) remaining until the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * Value must be an integer in the range (0,100). The minimum effective
+             * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+             * minutes.
+             * Cannot be set if the `renewBefore` field is set.
+             */
+            renewBeforePercentage?: pulumi.Input<number>;
+            /**
+             * The maximum number of CertificateRequest revisions that are maintained in
+             * the Certificate's history. Each revision represents a single `CertificateRequest`
+             * created by this Certificate, either when it was created, renewed, or Spec
+             * was changed. Revisions will be removed by oldest first if the number of
+             * revisions exceeds this number.
+             *
+             * If set, revisionHistoryLimit must be a value of `1` or greater.
+             * Default value is `1`.
+             */
+            revisionHistoryLimit?: pulumi.Input<number>;
+            /**
+             * Name of the Secret resource that will be automatically created and
+             * managed by this Certificate resource. It will be populated with a
+             * private key and certificate, signed by the denoted issuer. The Secret
+             * resource lives in the same namespace as the Certificate resource.
+             */
+            secretName?: pulumi.Input<string>;
+            secretTemplate?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecSecretTemplatePatch>;
+            /**
+             * Signature algorithm to use.
+             * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+             * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+             * Allowed values for Ed25519 keys: PureEd25519.
+             */
+            signatureAlgorithm?: pulumi.Input<string>;
+            subject?: pulumi.Input<inputs.cert_manager.v1.CertificateSpecSubjectPatch>;
+            /**
+             * Requested URI subject alternative names.
+             */
+            uris?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Requested key usages and extended key usages.
+             * These usages are used to set the `usages` field on the created CertificateRequest
+             * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+             * will additionally be encoded in the `request` field which contains the CSR blob.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Private key options. These include the key algorithm and size, the used
+         * encoding and the rotation policy.
+         */
+        export interface CertificateSpecPrivateKey {
+            /**
+             * Algorithm is the private key algorithm of the corresponding private key
+             * for this certificate.
+             *
+             * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+             * If `algorithm` is specified and `size` is not provided,
+             * key size of 2048 will be used for `RSA` key algorithm and
+             * key size of 256 will be used for `ECDSA` key algorithm.
+             * key size is ignored when using the `Ed25519` key algorithm.
+             */
+            algorithm?: pulumi.Input<string>;
+            /**
+             * The private key cryptography standards (PKCS) encoding for this
+             * certificate's private key to be encoded in.
+             *
+             * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+             * and PKCS#8, respectively.
+             * Defaults to `PKCS1` if not specified.
+             */
+            encoding?: pulumi.Input<string>;
+            /**
+             * RotationPolicy controls how private keys should be regenerated when a
+             * re-issuance is being processed.
+             *
+             * If set to `Never`, a private key will only be generated if one does not
+             * already exist in the target `spec.secretName`. If one does exist but it
+             * does not have the correct algorithm or size, a warning will be raised
+             * to await user intervention.
+             * If set to `Always`, a private key matching the specified requirements
+             * will be generated whenever a re-issuance occurs.
+             * Default is `Always`.
+             * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+             * The new default can be disabled by setting the
+             * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+             * the controller component.
+             */
+            rotationPolicy?: pulumi.Input<string>;
+            /**
+             * Size is the key bit size of the corresponding private key for this certificate.
+             *
+             * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+             * and will default to `2048` if not specified.
+             * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+             * and will default to `256` if not specified.
+             * If `algorithm` is set to `Ed25519`, Size is ignored.
+             * No other values are allowed.
+             */
+            size?: pulumi.Input<number>;
+        }
+
+        /**
+         * Private key options. These include the key algorithm and size, the used
+         * encoding and the rotation policy.
+         */
+        export interface CertificateSpecPrivateKeyPatch {
+            /**
+             * Algorithm is the private key algorithm of the corresponding private key
+             * for this certificate.
+             *
+             * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+             * If `algorithm` is specified and `size` is not provided,
+             * key size of 2048 will be used for `RSA` key algorithm and
+             * key size of 256 will be used for `ECDSA` key algorithm.
+             * key size is ignored when using the `Ed25519` key algorithm.
+             */
+            algorithm?: pulumi.Input<string>;
+            /**
+             * The private key cryptography standards (PKCS) encoding for this
+             * certificate's private key to be encoded in.
+             *
+             * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+             * and PKCS#8, respectively.
+             * Defaults to `PKCS1` if not specified.
+             */
+            encoding?: pulumi.Input<string>;
+            /**
+             * RotationPolicy controls how private keys should be regenerated when a
+             * re-issuance is being processed.
+             *
+             * If set to `Never`, a private key will only be generated if one does not
+             * already exist in the target `spec.secretName`. If one does exist but it
+             * does not have the correct algorithm or size, a warning will be raised
+             * to await user intervention.
+             * If set to `Always`, a private key matching the specified requirements
+             * will be generated whenever a re-issuance occurs.
+             * Default is `Always`.
+             * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+             * The new default can be disabled by setting the
+             * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+             * the controller component.
+             */
+            rotationPolicy?: pulumi.Input<string>;
+            /**
+             * Size is the key bit size of the corresponding private key for this certificate.
+             *
+             * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+             * and will default to `2048` if not specified.
+             * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+             * and will default to `256` if not specified.
+             * If `algorithm` is set to `Ed25519`, Size is ignored.
+             * No other values are allowed.
+             */
+            size?: pulumi.Input<number>;
+        }
+
+        /**
+         * Defines annotations and labels to be copied to the Certificate's Secret.
+         * Labels and annotations on the Secret will be changed as they appear on the
+         * SecretTemplate when added or removed. SecretTemplate annotations are added
+         * in conjunction with, and cannot overwrite, the base set of annotations
+         * cert-manager sets on the Certificate's Secret.
+         */
+        export interface CertificateSpecSecretTemplate {
+            /**
+             * Annotations is a key value map to be copied to the target Kubernetes Secret.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels is a key value map to be copied to the target Kubernetes Secret.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines annotations and labels to be copied to the Certificate's Secret.
+         * Labels and annotations on the Secret will be changed as they appear on the
+         * SecretTemplate when added or removed. SecretTemplate annotations are added
+         * in conjunction with, and cannot overwrite, the base set of annotations
+         * cert-manager sets on the Certificate's Secret.
+         */
+        export interface CertificateSpecSecretTemplatePatch {
+            /**
+             * Annotations is a key value map to be copied to the target Kubernetes Secret.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels is a key value map to be copied to the target Kubernetes Secret.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Requested set of X509 certificate subject attributes.
+         * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+         *
+         * The common name attribute is specified separately in the `commonName` field.
+         * Cannot be set if the `literalSubject` field is set.
+         */
+        export interface CertificateSpecSubject {
+            /**
+             * Countries to be used on the Certificate.
+             */
+            countries?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Cities to be used on the Certificate.
+             */
+            localities?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Organizational Units to be used on the Certificate.
+             */
+            organizationalUnits?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Organizations to be used on the Certificate.
+             */
+            organizations?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Postal codes to be used on the Certificate.
+             */
+            postalCodes?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * State/Provinces to be used on the Certificate.
+             */
+            provinces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Serial number to be used on the Certificate.
+             */
+            serialNumber?: pulumi.Input<string>;
+            /**
+             * Street addresses to be used on the Certificate.
+             */
+            streetAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Requested set of X509 certificate subject attributes.
+         * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+         *
+         * The common name attribute is specified separately in the `commonName` field.
+         * Cannot be set if the `literalSubject` field is set.
+         */
+        export interface CertificateSpecSubjectPatch {
+            /**
+             * Countries to be used on the Certificate.
+             */
+            countries?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Cities to be used on the Certificate.
+             */
+            localities?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Organizational Units to be used on the Certificate.
+             */
+            organizationalUnits?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Organizations to be used on the Certificate.
+             */
+            organizations?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Postal codes to be used on the Certificate.
+             */
+            postalCodes?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * State/Provinces to be used on the Certificate.
+             */
+            provinces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Serial number to be used on the Certificate.
+             */
+            serialNumber?: pulumi.Input<string>;
+            /**
+             * Street addresses to be used on the Certificate.
+             */
+            streetAddresses?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Status of the Certificate.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateStatus {
+            /**
+             * List of status conditions to indicate the status of certificates.
+             * Known condition types are `Ready` and `Issuing`.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.CertificateStatusConditions>[]>;
+            /**
+             * The number of continuous failed issuance attempts up till now. This
+             * field gets removed (if set) on a successful issuance and gets set to
+             * 1 if unset and an issuance has failed. If an issuance has failed, the
+             * delay till the next issuance will be calculated using formula
+             * time.Hour * 2 ^ (failedIssuanceAttempts - 1).
+             */
+            failedIssuanceAttempts?: pulumi.Input<number>;
+            /**
+             * LastFailureTime is set only if the latest issuance for this
+             * Certificate failed and contains the time of the failure. If an
+             * issuance has failed, the delay till the next issuance will be
+             * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
+             * 1). If the latest issuance has succeeded this field will be unset.
+             */
+            lastFailureTime?: pulumi.Input<string>;
+            /**
+             * The name of the Secret resource containing the private key to be used
+             * for the next certificate iteration.
+             * The keymanager controller will automatically set this field if the
+             * `Issuing` condition is set to `True`.
+             * It will automatically unset this field when the Issuing condition is
+             * not set or False.
+             */
+            nextPrivateKeySecretName?: pulumi.Input<string>;
+            /**
+             * The expiration time of the certificate stored in the secret named
+             * by this resource in `spec.secretName`.
+             */
+            notAfter?: pulumi.Input<string>;
+            /**
+             * The time after which the certificate stored in the secret named
+             * by this resource in `spec.secretName` is valid.
+             */
+            notBefore?: pulumi.Input<string>;
+            /**
+             * RenewalTime is the time at which the certificate will be next
+             * renewed.
+             * If not set, no upcoming renewal is scheduled.
+             */
+            renewalTime?: pulumi.Input<string>;
+            /**
+             * The current 'revision' of the certificate as issued.
+             *
+             * When a CertificateRequest resource is created, it will have the
+             * `cert-manager.io/certificate-revision` set to one greater than the
+             * current value of this field.
+             *
+             * Upon issuance, this field will be set to the value of the annotation
+             * on the CertificateRequest resource used to issue the certificate.
+             *
+             * Persisting the value on the CertificateRequest resource allows the
+             * certificates controller to know whether a request is part of an old
+             * issuance or if it is part of the ongoing revision's issuance by
+             * checking if the revision value in the annotation is greater than this
+             * field.
+             */
+            revision?: pulumi.Input<number>;
+        }
+
+        /**
+         * CertificateCondition contains condition information for a Certificate.
+         */
+        export interface CertificateStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Certificate.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * Type of the condition, known values are (`Ready`, `Issuing`).
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * A ClusterIssuer represents a certificate issuing authority which can be
+         * referenced as part of `issuerRef` fields.
+         * It is similar to an Issuer, however it is cluster-scoped and therefore can
+         * be referenced by resources that exist in *any* namespace, not just the same
+         * namespace as the referent.
+         */
+        export interface ClusterIssuer {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"ClusterIssuer">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpec>;
+            status?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerStatus>;
+        }
+
+        /**
+         * Desired state of the ClusterIssuer resource.
+         */
+        export interface ClusterIssuerSpec {
+            acme?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcme>;
+            ca?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecCa>;
+            selfSigned?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecSelfSigned>;
+            vault?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVault>;
+            venafi?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafi>;
+        }
+
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        export interface ClusterIssuerSpecAcme {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration?: pulumi.Input<boolean>;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email?: pulumi.Input<string>;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature?: pulumi.Input<boolean>;
+            externalAccountBinding?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBinding>;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain?: pulumi.Input<string>;
+            privateKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRef>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify?: pulumi.Input<boolean>;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolvers>[]>;
+        }
+
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        export interface ClusterIssuerSpecAcmeExternalAccountBinding {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm?: pulumi.Input<string>;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID?: pulumi.Input<string>;
+            keySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRef>;
+        }
+
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        export interface ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        export interface ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        export interface ClusterIssuerSpecAcmeExternalAccountBindingPatch {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm?: pulumi.Input<string>;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID?: pulumi.Input<string>;
+            keySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRefPatch>;
+        }
+
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        export interface ClusterIssuerSpecAcmePatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration?: pulumi.Input<boolean>;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email?: pulumi.Input<string>;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature?: pulumi.Input<boolean>;
+            externalAccountBinding?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingPatch>;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain?: pulumi.Input<string>;
+            privateKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRefPatch>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify?: pulumi.Input<boolean>;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversPatch>[]>;
+        }
+
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        export interface ClusterIssuerSpecAcmePrivateKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        export interface ClusterIssuerSpecAcmePrivateKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        export interface ClusterIssuerSpecAcmeSolvers {
+            dns01?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01>;
+            http01?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01>;
+            selector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversSelector>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01 {
+            acmeDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNS>;
+            akamai?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Akamai>;
+            azureDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNS>;
+            cloudDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNS>;
+            cloudflare?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Cloudflare>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Digitalocean>;
+            rfc2136?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136>;
+            route53?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53>;
+            webhook?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Webhook>;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AcmeDNS {
+            accountSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef>;
+            host?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSPatch {
+            accountSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch>;
+            host?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Akamai {
+            accessTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef>;
+            clientTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiPatch {
+            accessTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch>;
+            clientTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef>;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Cloudflare {
+            apiKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef>;
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflarePatch {
+            apiKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch>;
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Digitalocean {
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef>;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanPatch {
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Patch {
+            acmeDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSPatch>;
+            akamai?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiPatch>;
+            azureDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSPatch>;
+            cloudDNS?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSPatch>;
+            cloudflare?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflarePatch>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanPatch>;
+            rfc2136?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136Patch>;
+            route53?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Patch>;
+            webhook?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01WebhookPatch>;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef>;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch>;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef>;
+            auth?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Auth>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53Auth {
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetes>;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetes {
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef>;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch {
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch {
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch>;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch>;
+            auth?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{[key: string]: any}>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{[key: string]: any}>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01 {
+            gatewayHTTPRoute?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute>;
+            ingress?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01Ingress>;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs>[]>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch>[]>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls>[]>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplate>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata>;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch>;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpec>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpec {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls>[]>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01Patch {
+            gatewayHTTPRoute?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch>;
+            ingress?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPatch>;
+        }
+
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        export interface ClusterIssuerSpecAcmeSolversPatch {
+            dns01?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Patch>;
+            http01?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01Patch>;
+            selector?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversSelectorPatch>;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface ClusterIssuerSpecAcmeSolversSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface ClusterIssuerSpecAcmeSolversSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        export interface ClusterIssuerSpecCa {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        export interface ClusterIssuerSpecCaPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Desired state of the ClusterIssuer resource.
+         */
+        export interface ClusterIssuerSpecPatch {
+            acme?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecAcmePatch>;
+            ca?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecCaPatch>;
+            selfSigned?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecSelfSignedPatch>;
+            vault?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultPatch>;
+            venafi?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiPatch>;
+        }
+
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        export interface ClusterIssuerSpecSelfSigned {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        export interface ClusterIssuerSpecSelfSignedPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        export interface ClusterIssuerSpecVault {
+            auth?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuth>;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultCaBundleSecretRef>;
+            clientCertSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultClientCertSecretRef>;
+            clientKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultClientKeySecretRef>;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        export interface ClusterIssuerSpecVaultAuth {
+            appRole?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRole>;
+            clientCertificate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificate>;
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetes>;
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRef>;
+        }
+
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        export interface ClusterIssuerSpecVaultAuthAppRole {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRoleSecretRef>;
+        }
+
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        export interface ClusterIssuerSpecVaultAuthAppRolePatch {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRoleSecretRefPatch>;
+        }
+
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        export interface ClusterIssuerSpecVaultAuthAppRoleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        export interface ClusterIssuerSpecVaultAuthAppRoleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        export interface ClusterIssuerSpecVaultAuthClientCertificate {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        export interface ClusterIssuerSpecVaultAuthClientCertificatePatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetes {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesSecretRef>;
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesServiceAccountRef>;
+        }
+
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesPatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesSecretRefPatch>;
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesServiceAccountRefPatch>;
+        }
+
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        export interface ClusterIssuerSpecVaultAuthPatch {
+            appRole?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRolePatch>;
+            clientCertificate?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificatePatch>;
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesPatch>;
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRefPatch>;
+        }
+
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        export interface ClusterIssuerSpecVaultAuthTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        export interface ClusterIssuerSpecVaultAuthTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        export interface ClusterIssuerSpecVaultCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        export interface ClusterIssuerSpecVaultCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        export interface ClusterIssuerSpecVaultClientCertSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        export interface ClusterIssuerSpecVaultClientCertSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        export interface ClusterIssuerSpecVaultClientKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        export interface ClusterIssuerSpecVaultClientKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        export interface ClusterIssuerSpecVaultPatch {
+            auth?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultAuthPatch>;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultCaBundleSecretRefPatch>;
+            clientCertSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultClientCertSecretRefPatch>;
+            clientKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVaultClientKeySecretRefPatch>;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        export interface ClusterIssuerSpecVenafi {
+            cloud?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiCloud>;
+            tpp?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTpp>;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone?: pulumi.Input<string>;
+        }
+
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface ClusterIssuerSpecVenafiCloud {
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRef>;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        export interface ClusterIssuerSpecVenafiCloudApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        export interface ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface ClusterIssuerSpecVenafiCloudPatch {
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch>;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        export interface ClusterIssuerSpecVenafiPatch {
+            cloud?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudPatch>;
+            tpp?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppPatch>;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone?: pulumi.Input<string>;
+        }
+
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface ClusterIssuerSpecVenafiTpp {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRef>;
+            credentialsRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRef>;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        export interface ClusterIssuerSpecVenafiTppCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        export interface ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        export interface ClusterIssuerSpecVenafiTppCredentialsRef {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        export interface ClusterIssuerSpecVenafiTppCredentialsRefPatch {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface ClusterIssuerSpecVenafiTppPatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch>;
+            credentialsRef?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRefPatch>;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status of the ClusterIssuer. This is set and managed automatically.
+         */
+        export interface ClusterIssuerStatus {
+            acme?: pulumi.Input<inputs.cert_manager.v1.ClusterIssuerStatusAcme>;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.ClusterIssuerStatusConditions>[]>;
+        }
+
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        export interface ClusterIssuerStatusAcme {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash?: pulumi.Input<string>;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail?: pulumi.Input<string>;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri?: pulumi.Input<string>;
+        }
+
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        export interface ClusterIssuerStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * An Issuer represents a certificate issuing authority which can be
+         * referenced as part of `issuerRef` fields.
+         * It is scoped to a single namespace and can therefore only be referenced by
+         * resources within the same namespace.
+         */
+        export interface Issuer {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"cert-manager.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Issuer">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpec>;
+            status?: pulumi.Input<inputs.cert_manager.v1.IssuerStatus>;
+        }
+
+        /**
+         * Desired state of the Issuer resource.
+         */
+        export interface IssuerSpec {
+            acme?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcme>;
+            ca?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecCa>;
+            selfSigned?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecSelfSigned>;
+            vault?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVault>;
+            venafi?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafi>;
+        }
+
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        export interface IssuerSpecAcme {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration?: pulumi.Input<boolean>;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email?: pulumi.Input<string>;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature?: pulumi.Input<boolean>;
+            externalAccountBinding?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBinding>;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain?: pulumi.Input<string>;
+            privateKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRef>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify?: pulumi.Input<boolean>;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolvers>[]>;
+        }
+
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        export interface IssuerSpecAcmeExternalAccountBinding {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm?: pulumi.Input<string>;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID?: pulumi.Input<string>;
+            keySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingKeySecretRef>;
+        }
+
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        export interface IssuerSpecAcmeExternalAccountBindingKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        export interface IssuerSpecAcmeExternalAccountBindingKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        export interface IssuerSpecAcmeExternalAccountBindingPatch {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm?: pulumi.Input<string>;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID?: pulumi.Input<string>;
+            keySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingKeySecretRefPatch>;
+        }
+
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        export interface IssuerSpecAcmePatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration?: pulumi.Input<boolean>;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email?: pulumi.Input<string>;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature?: pulumi.Input<boolean>;
+            externalAccountBinding?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingPatch>;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain?: pulumi.Input<string>;
+            privateKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRefPatch>;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile?: pulumi.Input<string>;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify?: pulumi.Input<boolean>;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversPatch>[]>;
+        }
+
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        export interface IssuerSpecAcmePrivateKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        export interface IssuerSpecAcmePrivateKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        export interface IssuerSpecAcmeSolvers {
+            dns01?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01>;
+            http01?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01>;
+            selector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversSelector>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface IssuerSpecAcmeSolversDns01 {
+            acmeDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNS>;
+            akamai?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Akamai>;
+            azureDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNS>;
+            cloudDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNS>;
+            cloudflare?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Cloudflare>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Digitalocean>;
+            rfc2136?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136>;
+            route53?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53>;
+            webhook?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Webhook>;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AcmeDNS {
+            accountSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef>;
+            host?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AcmeDNSPatch {
+            accountSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch>;
+            host?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Akamai {
+            accessTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef>;
+            clientTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiPatch {
+            accessTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch>;
+            clientTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch>;
+            serviceConsumerDomain?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID?: pulumi.Input<string>;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID?: pulumi.Input<string>;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID?: pulumi.Input<string>;
+            clientSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch>;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment?: pulumi.Input<string>;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            managedIdentity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch>;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName?: pulumi.Input<string>;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID?: pulumi.Input<string>;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef>;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName?: pulumi.Input<string>;
+            project?: pulumi.Input<string>;
+            serviceAccountSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Cloudflare {
+            apiKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef>;
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflarePatch {
+            apiKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch>;
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch>;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Digitalocean {
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef>;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01DigitaloceanPatch {
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface IssuerSpecAcmeSolversDns01Patch {
+            acmeDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSPatch>;
+            akamai?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiPatch>;
+            azureDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSPatch>;
+            cloudDNS?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSPatch>;
+            cloudflare?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflarePatch>;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy?: pulumi.Input<string>;
+            digitalocean?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanPatch>;
+            rfc2136?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136Patch>;
+            route53?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Patch>;
+            webhook?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01WebhookPatch>;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef>;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver?: pulumi.Input<string>;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol?: pulumi.Input<string>;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm?: pulumi.Input<string>;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName?: pulumi.Input<string>;
+            tsigSecretSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch>;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef>;
+            auth?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Auth>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53Auth {
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetes>;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthKubernetes {
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef>;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch {
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthPatch {
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch>;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID?: pulumi.Input<string>;
+            accessKeyIDSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch>;
+            auth?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthPatch>;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID?: pulumi.Input<string>;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region?: pulumi.Input<string>;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role?: pulumi.Input<string>;
+            secretAccessKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{[key: string]: any}>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config?: pulumi.Input<{[key: string]: any}>;
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName?: pulumi.Input<string>;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface IssuerSpecAcmeSolversHttp01 {
+            gatewayHTTPRoute?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoute>;
+            ingress?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01Ingress>;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs>[]>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch>[]>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls>[]>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface IssuerSpecAcmeSolversHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplate>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplate>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressIngressTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata>;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch>;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class?: pulumi.Input<string>;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName?: pulumi.Input<string>;
+            ingressTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch>;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name?: pulumi.Input<string>;
+            podTemplate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplatePatch>;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType?: pulumi.Input<string>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplate {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpec>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplatePatch {
+            metadata?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch>;
+            spec?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpec {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution>;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch>;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch>[]>;
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch>[]>;
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch>;
+            podAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch>;
+            podAntiAffinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution>[]>;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch>[]>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch>;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch>;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys?: pulumi.Input<pulumi.Input<string>[]>;
+            namespaceSelector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch>;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch {
+            affinity?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch>;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch>[]>;
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName?: pulumi.Input<string>;
+            resources?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch>;
+            securityContext?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch>;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName?: pulumi.Input<string>;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch>[]>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests?: pulumi.Input<{[key: string]: pulumi.Input<number | string>}>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls>[]>;
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup?: pulumi.Input<number>;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy?: pulumi.Input<string>;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup?: pulumi.Input<number>;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot?: pulumi.Input<boolean>;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser?: pulumi.Input<number>;
+            seLinuxOptions?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch>;
+            seccompProfile?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch>;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups?: pulumi.Input<pulumi.Input<number>[]>;
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch>[]>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level?: pulumi.Input<string>;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role?: pulumi.Input<string>;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile?: pulumi.Input<string>;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value of a property to set
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect?: pulumi.Input<string>;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds?: pulumi.Input<number>;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface IssuerSpecAcmeSolversHttp01Patch {
+            gatewayHTTPRoute?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch>;
+            ingress?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPatch>;
+        }
+
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        export interface IssuerSpecAcmeSolversPatch {
+            dns01?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Patch>;
+            http01?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01Patch>;
+            selector?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmeSolversSelectorPatch>;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface IssuerSpecAcmeSolversSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface IssuerSpecAcmeSolversSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        export interface IssuerSpecCa {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        export interface IssuerSpecCaPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Desired state of the Issuer resource.
+         */
+        export interface IssuerSpecPatch {
+            acme?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecAcmePatch>;
+            ca?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecCaPatch>;
+            selfSigned?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecSelfSignedPatch>;
+            vault?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultPatch>;
+            venafi?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiPatch>;
+        }
+
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        export interface IssuerSpecSelfSigned {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        export interface IssuerSpecSelfSignedPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        export interface IssuerSpecVault {
+            auth?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuth>;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultCaBundleSecretRef>;
+            clientCertSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultClientCertSecretRef>;
+            clientKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultClientKeySecretRef>;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        export interface IssuerSpecVaultAuth {
+            appRole?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthAppRole>;
+            clientCertificate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificate>;
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetes>;
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRef>;
+        }
+
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        export interface IssuerSpecVaultAuthAppRole {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthAppRoleSecretRef>;
+        }
+
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        export interface IssuerSpecVaultAuthAppRolePatch {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthAppRoleSecretRefPatch>;
+        }
+
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        export interface IssuerSpecVaultAuthAppRoleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        export interface IssuerSpecVaultAuthAppRoleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        export interface IssuerSpecVaultAuthClientCertificate {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        export interface IssuerSpecVaultAuthClientCertificatePatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        export interface IssuerSpecVaultAuthKubernetes {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesSecretRef>;
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesServiceAccountRef>;
+        }
+
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        export interface IssuerSpecVaultAuthKubernetesPatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath?: pulumi.Input<string>;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role?: pulumi.Input<string>;
+            secretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesSecretRefPatch>;
+            serviceAccountRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesServiceAccountRefPatch>;
+        }
+
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        export interface IssuerSpecVaultAuthKubernetesSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        export interface IssuerSpecVaultAuthKubernetesSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        export interface IssuerSpecVaultAuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        export interface IssuerSpecVaultAuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        export interface IssuerSpecVaultAuthPatch {
+            appRole?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthAppRolePatch>;
+            clientCertificate?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificatePatch>;
+            kubernetes?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesPatch>;
+            tokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRefPatch>;
+        }
+
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        export interface IssuerSpecVaultAuthTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        export interface IssuerSpecVaultAuthTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        export interface IssuerSpecVaultCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        export interface IssuerSpecVaultCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        export interface IssuerSpecVaultClientCertSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        export interface IssuerSpecVaultClientCertSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        export interface IssuerSpecVaultClientKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        export interface IssuerSpecVaultClientKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        export interface IssuerSpecVaultPatch {
+            auth?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultAuthPatch>;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultCaBundleSecretRefPatch>;
+            clientCertSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultClientCertSecretRefPatch>;
+            clientKeySecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVaultClientKeySecretRefPatch>;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path?: pulumi.Input<string>;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server?: pulumi.Input<string>;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        export interface IssuerSpecVenafi {
+            cloud?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiCloud>;
+            tpp?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTpp>;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone?: pulumi.Input<string>;
+        }
+
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface IssuerSpecVenafiCloud {
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRef>;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        export interface IssuerSpecVenafiCloudApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        export interface IssuerSpecVenafiCloudApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface IssuerSpecVenafiCloudPatch {
+            apiTokenSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRefPatch>;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        export interface IssuerSpecVenafiPatch {
+            cloud?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiCloudPatch>;
+            tpp?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppPatch>;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone?: pulumi.Input<string>;
+        }
+
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface IssuerSpecVenafiTpp {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRef>;
+            credentialsRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRef>;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        export interface IssuerSpecVenafiTppCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        export interface IssuerSpecVenafiTppCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        export interface IssuerSpecVenafiTppCredentialsRef {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        export interface IssuerSpecVenafiTppCredentialsRefPatch {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface IssuerSpecVenafiTppPatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle?: pulumi.Input<string>;
+            caBundleSecretRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRefPatch>;
+            credentialsRef?: pulumi.Input<inputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRefPatch>;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status of the Issuer. This is set and managed automatically.
+         */
+        export interface IssuerStatus {
+            acme?: pulumi.Input<inputs.cert_manager.v1.IssuerStatusAcme>;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.cert_manager.v1.IssuerStatusConditions>[]>;
+        }
+
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        export interface IssuerStatusAcme {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash?: pulumi.Input<string>;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail?: pulumi.Input<string>;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri?: pulumi.Input<string>;
+        }
+
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        export interface IssuerStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type?: pulumi.Input<string>;
+        }
+
+    }
+}
+
+export namespace gateway {
+    export namespace v1 {
+        /**
+         * BackendTLSPolicy provides a way to configure how a Gateway
+         * connects to a Backend via TLS.
+         */
+        export interface BackendTLSPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"BackendTLSPolicy">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpec>;
+            status?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicyStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicySpec {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecTargetRefs>[]>;
+            validation?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidation>;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicySpecPatch {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecTargetRefsPatch>[]>;
+            validation?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationPatch>;
+        }
+
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        export interface BackendTLSPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        export interface BackendTLSPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        export interface BackendTLSPolicySpecValidation {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefs>[]>;
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNames>[]>;
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface BackendTLSPolicySpecValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface BackendTLSPolicySpecValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        export interface BackendTLSPolicySpecValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefsPatch>[]>;
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNamesPatch>[]>;
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates?: pulumi.Input<string>;
+        }
+
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        export interface BackendTLSPolicySpecValidationSubjectAltNames {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri?: pulumi.Input<string>;
+        }
+
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        export interface BackendTLSPolicySpecValidationSubjectAltNamesPatch {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicyStatusAncestors>[]>;
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface BackendTLSPolicyStatusAncestors {
+            ancestorRef?: pulumi.Input<inputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRef>;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface BackendTLSPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface BackendTLSPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * GRPCRoute provides a way to route gRPC requests. This includes the capability
+         * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+         * Filters can be used to specify additional processing steps. Backends specify
+         * where matching requests will be routed.
+         *
+         * GRPCRoute falls under extended support within the Gateway API. Within the
+         * following specification, the word "MUST" indicates that an implementation
+         * supporting GRPCRoute must conform to the indicated requirement, but an
+         * implementation not supporting this route type need not follow the requirement
+         * unless explicitly indicated.
+         *
+         * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+         * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+         * ALPN. If the implementation does not support this, then it MUST set the
+         * "Accepted" condition to "False" for the affected listener with a reason of
+         * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+         * with an upgrade from HTTP/1.
+         *
+         * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+         * support HTTP/2 over cleartext TCP (h2c,
+         * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+         * upgrade from HTTP/1.1, i.e. with prior knowledge
+         * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+         * does not support this, then it MUST set the "Accepted" condition to "False"
+         * for the affected listener with a reason of "UnsupportedProtocol".
+         * Implementations MAY also accept HTTP/2 connections with an upgrade from
+         * HTTP/1, i.e. without prior knowledge.
+         */
+        export interface GRPCRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"GRPCRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1.GRPCRouteStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of GRPCRoute.
+         */
+        export interface GRPCRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames to match against the GRPC
+             * Host header to select a GRPCRoute to process the request. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label MUST appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and GRPCRoute, there
+             * MUST be at least one intersecting hostname for the GRPCRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, any
+             * GRPCRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * GRPCRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` MUST NOT be considered for a match.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, and none
+             * match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+             * the implementation. The implementation MUST raise an 'Accepted' Condition
+             * with a status of `False` in the corresponding RouteParentStatus.
+             *
+             * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+             * Listener and that listener already has another Route (B) of the other
+             * type attached and the intersection of the hostnames of A and B is
+             * non-empty, then the implementation MUST accept exactly one of these two
+             * routes, determined by the following criteria, in order:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * The rejected Route MUST raise an 'Accepted' condition with a status of
+             * 'False' in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of GRPC matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface GRPCRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface GRPCRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of GRPCRoute.
+         */
+        export interface GRPCRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames to match against the GRPC
+             * Host header to select a GRPCRoute to process the request. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label MUST appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and GRPCRoute, there
+             * MUST be at least one intersecting hostname for the GRPCRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, any
+             * GRPCRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * GRPCRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` MUST NOT be considered for a match.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, and none
+             * match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+             * the implementation. The implementation MUST raise an 'Accepted' Condition
+             * with a status of `False` in the corresponding RouteParentStatus.
+             *
+             * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+             * Listener and that listener already has another Route (B) of the other
+             * type attached and the intersection of the hostnames of A and B is
+             * non-empty, then the implementation MUST accept exactly one of these two
+             * routes, determined by the following criteria, in order:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * The rejected Route MUST raise an 'Accepted' condition with a status of
+             * 'False' in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of GRPC matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * GRPCRouteRule defines the semantics for matching a gRPC request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface GRPCRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive an `UNAVAILABLE` status.
+             *
+             * See the GRPCBackendRef definition for the rules about what makes a single
+             * GRPCBackendRef invalid.
+             *
+             * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive an `UNAVAILABLE` status.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+             * Implementations may choose how that 50 percent is determined.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * The effects of ordering of multiple behaviors are currently unspecified.
+             * This can change in the future based on feedback during the alpha stage.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations that support
+             *   GRPCRoute.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * If an implementation cannot support a combination of filters, it must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFilters>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * gRPC requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - method:
+             *     service: foo.bar
+             *   headers:
+             *     values:
+             *       version: 2
+             * - method:
+             *     service: foo.bar.v2
+             * ```
+             *
+             * For a request to match against this rule, it MUST satisfy
+             * EITHER of the two conditions:
+             *
+             * - service of foo.bar AND contains the header `version: 2`
+             * - service of foo.bar.v2
+             *
+             * See the documentation for GRPCRouteMatch on how to specify multiple
+             * match conditions to be ANDed together.
+             *
+             * If no matches are specified, the implementation MUST match every gRPC request.
+             *
+             * Proxy or Load Balancer routing configuration generated from GRPCRoutes
+             * MUST prioritize rules based on the following criteria, continuing on
+             * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+             * Precedence MUST be given to the rule with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             * * Characters in a matching service.
+             * * Characters in a matching method.
+             * * Header matches.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within the Route that has been given precedence,
+             * matching precedence MUST be granted to the first matching rule meeting
+             * the above criteria.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatches>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesSessionPersistence>;
+        }
+
+        /**
+         * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface GRPCRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level MUST be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in GRPCRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFilters>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFilters {
+            extensionRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersExtensionRef>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirror>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersPatch {
+            extensionRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level MUST be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in GRPCRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersPatch>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface GRPCRouteSpecRulesFilters {
+            extensionRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersExtensionRef>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirror>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        export interface GRPCRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        export interface GRPCRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface GRPCRouteSpecRulesFiltersPatch {
+            extensionRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersExtensionRefPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * GRPCRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a gRPC request only if its service
+         * is `foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * matches:
+         *   - method:
+         *     type: Exact
+         *     service: "foo"
+         *     headers:
+         *   - name: "version"
+         *     value "v1"
+         *
+         * ```
+         */
+        export interface GRPCRouteSpecRulesMatches {
+            /**
+             * Headers specifies gRPC request header matchers. Multiple match values are
+             * ANDed together, meaning, a request MUST match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesHeaders>[]>;
+            method?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesMethod>;
+        }
+
+        /**
+         * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+         * headers.
+         */
+        export interface GRPCRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the gRPC Header to be matched.
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of the gRPC Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+         * headers.
+         */
+        export interface GRPCRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the gRPC Header to be matched.
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of the gRPC Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Method specifies a gRPC request service/method matcher. If this field is
+         * not specified, all services and methods will match.
+         */
+        export interface GRPCRouteSpecRulesMatchesMethod {
+            /**
+             * Value of the method to match against. If left empty or omitted, will
+             * match all services.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            method?: pulumi.Input<string>;
+            /**
+             * Value of the service to match against. If left empty or omitted, will
+             * match any service.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            service?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the service and/or method.
+             * Support: Core (Exact with service and method specified)
+             *
+             * Support: Implementation-specific (Exact with method specified but no service specified)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Method specifies a gRPC request service/method matcher. If this field is
+         * not specified, all services and methods will match.
+         */
+        export interface GRPCRouteSpecRulesMatchesMethodPatch {
+            /**
+             * Value of the method to match against. If left empty or omitted, will
+             * match all services.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            method?: pulumi.Input<string>;
+            /**
+             * Value of the service to match against. If left empty or omitted, will
+             * match any service.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            service?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the service and/or method.
+             * Support: Core (Exact with service and method specified)
+             *
+             * Support: Implementation-specific (Exact with method specified but no service specified)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * GRPCRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a gRPC request only if its service
+         * is `foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * matches:
+         *   - method:
+         *     type: Exact
+         *     service: "foo"
+         *     headers:
+         *   - name: "version"
+         *     value "v1"
+         *
+         * ```
+         */
+        export interface GRPCRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies gRPC request header matchers. Multiple match values are
+             * ANDed together, meaning, a request MUST match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesHeadersPatch>[]>;
+            method?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesMethodPatch>;
+        }
+
+        /**
+         * GRPCRouteRule defines the semantics for matching a gRPC request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface GRPCRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive an `UNAVAILABLE` status.
+             *
+             * See the GRPCBackendRef definition for the rules about what makes a single
+             * GRPCBackendRef invalid.
+             *
+             * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive an `UNAVAILABLE` status.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+             * Implementations may choose how that 50 percent is determined.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * The effects of ordering of multiple behaviors are currently unspecified.
+             * This can change in the future based on feedback during the alpha stage.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations that support
+             *   GRPCRoute.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * If an implementation cannot support a combination of filters, it must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesFiltersPatch>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * gRPC requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - method:
+             *     service: foo.bar
+             *   headers:
+             *     values:
+             *       version: 2
+             * - method:
+             *     service: foo.bar.v2
+             * ```
+             *
+             * For a request to match against this rule, it MUST satisfy
+             * EITHER of the two conditions:
+             *
+             * - service of foo.bar AND contains the header `version: 2`
+             * - service of foo.bar.v2
+             *
+             * See the documentation for GRPCRouteMatch on how to specify multiple
+             * match conditions to be ANDed together.
+             *
+             * If no matches are specified, the implementation MUST match every gRPC request.
+             *
+             * Proxy or Load Balancer routing configuration generated from GRPCRoutes
+             * MUST prioritize rules based on the following criteria, continuing on
+             * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+             * Precedence MUST be given to the rule with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             * * Characters in a matching service.
+             * * Characters in a matching method.
+             * * Header matches.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within the Route that has been given precedence,
+             * matching precedence MUST be granted to the first matching rule meeting
+             * the above criteria.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesMatchesPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesSessionPersistencePatch>;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesSessionPersistenceCookieConfig>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1.GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of GRPCRoute.
+         */
+        export interface GRPCRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteStatusParents>[]>;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface GRPCRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GRPCRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1.GRPCRouteStatusParentsParentRef>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GRPCRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface GRPCRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Gateway represents an instance of a service-traffic handling infrastructure
+         * by binding Listeners to a set of IP addresses.
+         */
+        export interface Gateway {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Gateway">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.GatewaySpec>;
+            status?: pulumi.Input<inputs.gateway.v1.GatewayStatus>;
+        }
+
+        /**
+         * GatewayClass describes a class of Gateways available to the user for creating
+         * Gateway resources.
+         *
+         * It is recommended that this resource be used as a template for Gateways. This
+         * means that a Gateway is based on the state of the GatewayClass at the time it
+         * was created and changes to the GatewayClass or associated parameters are not
+         * propagated down to existing Gateways. This recommendation is intended to
+         * limit the blast radius of changes to GatewayClass or associated parameters.
+         * If implementations choose to propagate GatewayClass changes to existing
+         * Gateways, that MUST be clearly documented by the implementation.
+         *
+         * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+         * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+         * associated GatewayClass. This ensures that a GatewayClass associated with a
+         * Gateway is not deleted while in use.
+         *
+         * GatewayClass is a Cluster level resource.
+         */
+        export interface GatewayClass {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"GatewayClass">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.GatewayClassSpec>;
+            status?: pulumi.Input<inputs.gateway.v1.GatewayClassStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        export interface GatewayClassSpec {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1.GatewayClassSpecParametersRef>;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewayClassSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewayClassSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        export interface GatewayClassSpecPatch {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1.GatewayClassSpecParametersRefPatch>;
+        }
+
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        export interface GatewayClassStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayClassStatusConditions>[]>;
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayClassStatusSupportedFeatures>[]>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayClassStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        export interface GatewayClassStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        export interface GatewaySpec {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecAddresses>[]>;
+            allowedListeners?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListeners>;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope?: pulumi.Input<string>;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName?: pulumi.Input<string>;
+            infrastructure?: pulumi.Input<inputs.gateway.v1.GatewaySpecInfrastructure>;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListeners>[]>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecTls>;
+        }
+
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        export interface GatewaySpecAddresses {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        export interface GatewaySpecAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListeners {
+            namespaces?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespaces>;
+        }
+
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersNamespaces {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelector>;
+        }
+
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesPatch {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorPatch>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersPatch {
+            namespaces?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersNamespacesPatch>;
+        }
+
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecInfrastructure {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1.GatewaySpecInfrastructureParametersRef>;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewaySpecInfrastructureParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewaySpecInfrastructureParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecInfrastructurePatch {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1.GatewaySpecInfrastructureParametersRefPatch>;
+        }
+
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        export interface GatewaySpecListeners {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutes>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersTls>;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesKinds>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespaces>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewaySpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewaySpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelector>;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesKindsPatch>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesPatch>;
+        }
+
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        export interface GatewaySpecListenersPatch {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersAllowedRoutesPatch>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecListenersTlsPatch>;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersTlsCertificateRefs>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersTlsCertificateRefsPatch>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        export interface GatewaySpecPatch {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecAddressesPatch>[]>;
+            allowedListeners?: pulumi.Input<inputs.gateway.v1.GatewaySpecAllowedListenersPatch>;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope?: pulumi.Input<string>;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName?: pulumi.Input<string>;
+            infrastructure?: pulumi.Input<inputs.gateway.v1.GatewaySpecInfrastructurePatch>;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecListenersPatch>[]>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsPatch>;
+        }
+
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecTls {
+            backend?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsBackend>;
+            frontend?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontend>;
+        }
+
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackend {
+            clientCertificateRef?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRef>;
+        }
+
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendClientCertificateRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendClientCertificateRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendPatch {
+            clientCertificateRef?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRefPatch>;
+        }
+
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontend {
+            default?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefault>;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPort>[]>;
+        }
+
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefault {
+            validation?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidation>;
+        }
+
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultPatch {
+            validation?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationPatch>;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPatch {
+            default?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendDefaultPatch>;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortPatch>[]>;
+        }
+
+        export interface GatewaySpecTlsFrontendPerPort {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTls>;
+        }
+
+        export interface GatewaySpecTlsFrontendPerPortPatch {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            tls?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsPatch>;
+        }
+
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTls {
+            validation?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidation>;
+        }
+
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsPatch {
+            validation?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationPatch>;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecTlsPatch {
+            backend?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsBackendPatch>;
+            frontend?: pulumi.Input<inputs.gateway.v1.GatewaySpecTlsFrontendPatch>;
+        }
+
+        /**
+         * Status defines the current state of Gateway.
+         */
+        export interface GatewayStatus {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusAddresses>[]>;
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusConditions>[]>;
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusListeners>[]>;
+        }
+
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        export interface GatewayStatusAddresses {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface GatewayStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes?: pulumi.Input<number>;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusListenersConditions>[]>;
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1.GatewayStatusListenersSupportedKinds>[]>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewayStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRoute provides a way to route HTTP requests. This includes the capability
+         * to match requests by hostname, path, header, or query param. Filters can be
+         * used to specify additional processing steps. Backends specify where matching
+         * requests should be routed.
+         */
+        export interface HTTPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"HTTPRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1.HTTPRouteStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        export interface HTTPRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface HTTPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface HTTPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        export interface HTTPRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface HTTPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFilters>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatches>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            retry?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesRetry>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesSessionPersistence>;
+            timeouts?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesTimeouts>;
+        }
+
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface HTTPRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFilters>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFilters {
+            cors?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCors>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite>;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody>;
+            grpc?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc>;
+            http?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch>;
+            grpc?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch>;
+            http?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersPatch {
+            cors?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath>;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch>;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersPatch>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesFilters {
+            cors?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersCors>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRef>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuth>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirror>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirect>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewrite>;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuth {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody>;
+            grpc?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpc>;
+            http?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttp>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch>;
+            grpc?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch>;
+            http?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesFiltersPatch {
+            cors?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersCorsPatch>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRefPatch>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorPatch>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePatch>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPath>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPathPatch>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePath>;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePathPatch>;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        export interface HTTPRouteSpecRulesMatches {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesHeaders>[]>;
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesPath>;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParams>[]>;
+        }
+
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        export interface HTTPRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        export interface HTTPRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        export interface HTTPRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesHeadersPatch>[]>;
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesPathPatch>;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParamsPatch>[]>;
+        }
+
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        export interface HTTPRouteSpecRulesMatchesPath {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        export interface HTTPRouteSpecRulesMatchesPathPatch {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        export interface HTTPRouteSpecRulesMatchesQueryParams {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        export interface HTTPRouteSpecRulesMatchesQueryParamsPatch {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface HTTPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesFiltersPatch>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesMatchesPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            retry?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesRetryPatch>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesSessionPersistencePatch>;
+            timeouts?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesTimeoutsPatch>;
+        }
+
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesRetry {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts?: pulumi.Input<number>;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff?: pulumi.Input<string>;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes?: pulumi.Input<pulumi.Input<number>[]>;
+        }
+
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesRetryPatch {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts?: pulumi.Input<number>;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff?: pulumi.Input<string>;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes?: pulumi.Input<pulumi.Input<number>[]>;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesSessionPersistenceCookieConfig>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1.HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesTimeouts {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest?: pulumi.Input<string>;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request?: pulumi.Input<string>;
+        }
+
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesTimeoutsPatch {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest?: pulumi.Input<string>;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        export interface HTTPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteStatusParents>[]>;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface HTTPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1.HTTPRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1.HTTPRouteStatusParentsParentRef>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface HTTPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface HTTPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+    }
+
+    export namespace v1alpha1 {
+        /**
+         * XBackendTrafficPolicy defines the configuration for how traffic to a
+         * target backend should be handled.
+         */
+        export interface XBackendTrafficPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"XBackendTrafficPolicy">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicyStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTrafficPolicy.
+         */
+        export interface XBackendTrafficPolicySpec {
+            retryConstraint?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraint>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistence>;
+            /**
+             * TargetRefs identifies API object(s) to apply this policy to.
+             * Currently, Backends (A grouping of like endpoints such as Service,
+             * ServiceImport, or any implementation-specific backendRef) are the only
+             * valid API target references.
+             *
+             * Currently, a TargetRef can not be scoped to a specific port on a
+             * Service.
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefs>[]>;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTrafficPolicy.
+         */
+        export interface XBackendTrafficPolicySpecPatch {
+            retryConstraint?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintPatch>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistencePatch>;
+            /**
+             * TargetRefs identifies API object(s) to apply this policy to.
+             * Currently, Backends (A grouping of like endpoints such as Service,
+             * ServiceImport, or any implementation-specific backendRef) are the only
+             * valid API target references.
+             *
+             * Currently, a TargetRef can not be scoped to a specific port on a
+             * Service.
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefsPatch>[]>;
+        }
+
+        /**
+         * RetryConstraint defines the configuration for when to allow or prevent
+         * further retries to a target backend, by dynamically calculating a 'retry
+         * budget'. This budget is calculated based on the percentage of incoming
+         * traffic composed of retries over a given time interval. Once the budget
+         * is exceeded, additional retries will be rejected.
+         *
+         * For example, if the retry budget interval is 10 seconds, there have been
+         * 1000 active requests in the past 10 seconds, and the allowed percentage
+         * of requests that can be retried is 20% (the default), then 200 of those
+         * requests may be composed of retries. Active requests will only be
+         * considered for the duration of the interval when calculating the retry
+         * budget. Retrying the same original request multiple times within the
+         * retry budget interval will lead to each retry being counted towards
+         * calculating the budget.
+         *
+         * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+         * HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+         * backend. While the HTTPRouteRule Retry stanza can specify whether a
+         * request will be retried, and the number of retry attempts each client
+         * may perform, RetryConstraint helps prevent cascading failures such as
+         * retry storms during periods of consistent failures.
+         *
+         * After the retry budget has been exceeded, additional retries to the
+         * backend MUST return a 503 response to the client.
+         *
+         * Additional configurations for defining a constraint on retries MAY be
+         * defined in the future.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraint {
+            budget?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudget>;
+            minRetryRate?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRate>;
+        }
+
+        /**
+         * Budget holds the details of the retry budget configuration.
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintBudget {
+            /**
+             * Interval defines the duration in which requests will be considered
+             * for calculating the budget for retries.
+             *
+             * Support: Extended
+             */
+            interval?: pulumi.Input<string>;
+            /**
+             * Percent defines the maximum percentage of active requests that may
+             * be made up of retries.
+             *
+             * Support: Extended
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * Budget holds the details of the retry budget configuration.
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintBudgetPatch {
+            /**
+             * Interval defines the duration in which requests will be considered
+             * for calculating the budget for retries.
+             *
+             * Support: Extended
+             */
+            interval?: pulumi.Input<string>;
+            /**
+             * Percent defines the maximum percentage of active requests that may
+             * be made up of retries.
+             *
+             * Support: Extended
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * MinRetryRate defines the minimum rate of retries that will be allowable
+         * over a specified duration of time.
+         *
+         * The effective overall minimum rate of retries targeting the backend
+         * service may be much higher, as there can be any number of clients which
+         * are applying this setting locally.
+         *
+         * This ensures that requests can still be retried during periods of low
+         * traffic, where the budget for retries may be calculated as a very low
+         * value.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintMinRetryRate {
+            /**
+             * Count specifies the number of requests per time interval.
+             *
+             * Support: Extended
+             */
+            count?: pulumi.Input<number>;
+            /**
+             * Interval specifies the divisor of the rate of requests, the amount of
+             * time during which the given count of requests occur.
+             *
+             * Support: Extended
+             */
+            interval?: pulumi.Input<string>;
+        }
+
+        /**
+         * MinRetryRate defines the minimum rate of retries that will be allowable
+         * over a specified duration of time.
+         *
+         * The effective overall minimum rate of retries targeting the backend
+         * service may be much higher, as there can be any number of clients which
+         * are applying this setting locally.
+         *
+         * This ensures that requests can still be retried during periods of low
+         * traffic, where the budget for retries may be calculated as a very low
+         * value.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch {
+            /**
+             * Count specifies the number of requests per time interval.
+             *
+             * Support: Extended
+             */
+            count?: pulumi.Input<number>;
+            /**
+             * Interval specifies the divisor of the rate of requests, the amount of
+             * time during which the given count of requests occur.
+             *
+             * Support: Extended
+             */
+            interval?: pulumi.Input<string>;
+        }
+
+        /**
+         * RetryConstraint defines the configuration for when to allow or prevent
+         * further retries to a target backend, by dynamically calculating a 'retry
+         * budget'. This budget is calculated based on the percentage of incoming
+         * traffic composed of retries over a given time interval. Once the budget
+         * is exceeded, additional retries will be rejected.
+         *
+         * For example, if the retry budget interval is 10 seconds, there have been
+         * 1000 active requests in the past 10 seconds, and the allowed percentage
+         * of requests that can be retried is 20% (the default), then 200 of those
+         * requests may be composed of retries. Active requests will only be
+         * considered for the duration of the interval when calculating the retry
+         * budget. Retrying the same original request multiple times within the
+         * retry budget interval will lead to each retry being counted towards
+         * calculating the budget.
+         *
+         * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+         * HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+         * backend. While the HTTPRouteRule Retry stanza can specify whether a
+         * request will be retried, and the number of retry attempts each client
+         * may perform, RetryConstraint helps prevent cascading failures such as
+         * retry storms during periods of consistent failures.
+         *
+         * After the retry budget has been exceeded, additional retries to the
+         * backend MUST return a 503 response to the client.
+         *
+         * Additional configurations for defining a constraint on retries MAY be
+         * defined in the future.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintPatch {
+            budget?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudgetPatch>;
+            minRetryRate?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch>;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the backend.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfig>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface XBackendTrafficPolicySpecSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the backend.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalPolicyTargetReference identifies an API object to apply a direct or
+         * inherited policy to. This should be used as part of Policy resources
+         * that can target Gateway API resources. For more information on how this
+         * policy attachment model works, and a sample Policy resource, refer to
+         * the policy attachment documentation for Gateway API.
+         */
+        export interface XBackendTrafficPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalPolicyTargetReference identifies an API object to apply a direct or
+         * inherited policy to. This should be used as part of Policy resources
+         * that can target Gateway API resources. For more information on how this
+         * policy attachment model works, and a sample Policy resource, refer to
+         * the policy attachment documentation for Gateway API.
+         */
+        export interface XBackendTrafficPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of BackendTrafficPolicy.
+         */
+        export interface XBackendTrafficPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestors>[]>;
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface XBackendTrafficPolicyStatusAncestors {
+            ancestorRef?: pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRef>;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface XBackendTrafficPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XBackendTrafficPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+         * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+         *
+         * The parent Gateway must explicitly allow ListenerSet attachment through its
+         * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+         * attachment.
+         *
+         * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+         * optionally target specific listeners using the sectionName field.
+         *
+         * Policy Attachment:
+         * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+         * - Policies do not impact listeners in the parent Gateway
+         * - Different ListenerSets attached to the same Gateway can have different policies
+         * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+         *
+         * ReferenceGrant Semantics:
+         * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+         * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+         * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+         *
+         * Gateway Integration:
+         * - The parent Gateway's status will include an "AttachedListenerSets" condition
+         * - This condition will be:
+         *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+         *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+         *   - Unknown: when no AllowedListeners config is present
+         */
+        export interface XListenerSet {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"XListenerSet">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of ListenerSet.
+         */
+        export interface XListenerSetSpec {
+            /**
+             * Listeners associated with this ListenerSet. Listeners define
+             * logical endpoints that are bound on this referenced parent Gateway's addresses.
+             *
+             * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+             * as a list when programming the underlying infrastructure. Each listener
+             * name does not need to be unique across the Gateway and ListenerSets.
+             * See ListenerEntry.Name for more details.
+             *
+             * Implementations MUST treat the parent Gateway as having the merged
+             * list of all listeners from itself and attached ListenerSets using
+             * the following precedence:
+             *
+             * 1. "parent" Gateway
+             * 2. ListenerSet ordered by creation time (oldest first)
+             * 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+             *
+             * An implementation MAY reject listeners by setting the ListenerEntryStatus
+             * `Accepted` condition to False with the Reason `TooManyListeners`
+             *
+             * If a listener has a conflict, this will be reported in the
+             * Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+             *
+             * Implementations SHOULD be cautious about what information from the
+             * parent or siblings are reported to avoid accidentally leaking
+             * sensitive information that the child would not otherwise have access
+             * to. This can include contents of secrets etc.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListeners>[]>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecParentRef>;
+        }
+
+        export interface XListenerSetSpecListeners {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutes>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+             *   protocol layers as described above. If an implementation does not
+             *   ensure that both the SNI and Host header match the Listener hostname,
+             *   it MUST clearly document that.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * ListenerSet.
+             *
+             * Name is not required to be unique across a Gateway and ListenerSets.
+             * Routes can attach to a Listener by having a ListenerSet as a parentRef
+             * and setting the SectionName
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * If the port is not set or specified as zero, the implementation will assign
+             * a unique port. If the implementation does not support dynamic port
+             * assignment, it MUST set `Accepted` condition to `False` with the
+             * `UnsupportedPort` reason.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersTls>;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKinds>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespaces>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelector>;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKindsPatch>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesPatch>;
+        }
+
+        export interface XListenerSetSpecListenersPatch {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesPatch>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+             *   protocol layers as described above. If an implementation does not
+             *   ensure that both the SNI and Host header match the Listener hostname,
+             *   it MUST clearly document that.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * ListenerSet.
+             *
+             * Name is not required to be unique across a Gateway and ListenerSets.
+             * Routes can attach to a Listener by having a ListenerSet as a parentRef
+             * and setting the SectionName
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * If the port is not set or specified as zero, the implementation will assign
+             * a unique port. If the implementation does not support dynamic port
+             * assignment, it MUST set `Accepted` condition to `False` with the
+             * `UnsupportedPort` reason.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersTlsPatch>;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         */
+        export interface XListenerSetSpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefs>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface XListenerSetSpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface XListenerSetSpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         */
+        export interface XListenerSetSpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefsPatch>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * ParentRef references the Gateway that the listeners are attached to.
+         */
+        export interface XListenerSetSpecParentRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Gateway".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.  If not present,
+             * the namespace of the referent is assumed to be the same as
+             * the namespace of the referring object.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentRef references the Gateway that the listeners are attached to.
+         */
+        export interface XListenerSetSpecParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Gateway".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.  If not present,
+             * the namespace of the referent is assumed to be the same as
+             * the namespace of the referring object.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of ListenerSet.
+         */
+        export interface XListenerSetSpecPatch {
+            /**
+             * Listeners associated with this ListenerSet. Listeners define
+             * logical endpoints that are bound on this referenced parent Gateway's addresses.
+             *
+             * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+             * as a list when programming the underlying infrastructure. Each listener
+             * name does not need to be unique across the Gateway and ListenerSets.
+             * See ListenerEntry.Name for more details.
+             *
+             * Implementations MUST treat the parent Gateway as having the merged
+             * list of all listeners from itself and attached ListenerSets using
+             * the following precedence:
+             *
+             * 1. "parent" Gateway
+             * 2. ListenerSet ordered by creation time (oldest first)
+             * 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+             *
+             * An implementation MAY reject listeners by setting the ListenerEntryStatus
+             * `Accepted` condition to False with the Reason `TooManyListeners`
+             *
+             * If a listener has a conflict, this will be reported in the
+             * Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+             *
+             * Implementations SHOULD be cautious about what information from the
+             * parent or siblings are reported to avoid accidentally leaking
+             * sensitive information that the child would not otherwise have access
+             * to. This can include contents of secrets etc.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecListenersPatch>[]>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha1.XListenerSetSpecParentRefPatch>;
+        }
+
+        /**
+         * Status defines the current state of ListenerSet.
+         */
+        export interface XListenerSetStatus {
+            /**
+             * Conditions describe the current conditions of the ListenerSet.
+             *
+             * Implementations MUST express ListenerSet conditions using the
+             * `ListenerSetConditionType` and `ListenerSetConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe ListenerSet state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatusConditions>[]>;
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatusListeners>[]>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XListenerSetStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface XListenerSetStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes?: pulumi.Input<number>;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatusListenersConditions>[]>;
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port the listener is configured to listen on.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKinds>[]>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XListenerSetStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface XListenerSetStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+         */
+        export interface XMesh {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.x-k8s.io/v1alpha1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"XMesh">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha1.XMeshStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of XMesh.
+         */
+        export interface XMeshSpec {
+            /**
+             * ControllerName is the name of a controller that is managing Gateway API
+             * resources for mesh traffic management. The value of this field MUST be a
+             * domain prefixed path.
+             *
+             * Example: "example.com/awesome-mesh".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description optionally provides a human-readable description of a Mesh.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpecParametersRef>;
+        }
+
+        /**
+         * ParametersRef is an optional reference to a resource that contains
+         * implementation-specific configuration for this Mesh. If no
+         * implementation-specific parameters are needed, this field MUST be
+         * omitted.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e.
+         * ConfigMap, or an implementation-specific custom resource. The resource
+         * can be cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Mesh MUST be rejected
+         * with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface XMeshSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParametersRef is an optional reference to a resource that contains
+         * implementation-specific configuration for this Mesh. If no
+         * implementation-specific parameters are needed, this field MUST be
+         * omitted.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e.
+         * ConfigMap, or an implementation-specific custom resource. The resource
+         * can be cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Mesh MUST be rejected
+         * with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface XMeshSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of XMesh.
+         */
+        export interface XMeshSpecPatch {
+            /**
+             * ControllerName is the name of a controller that is managing Gateway API
+             * resources for mesh traffic management. The value of this field MUST be a
+             * domain prefixed path.
+             *
+             * Example: "example.com/awesome-mesh".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description optionally provides a human-readable description of a Mesh.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1alpha1.XMeshSpecParametersRefPatch>;
+        }
+
+        /**
+         * Status defines the current state of XMesh.
+         */
+        export interface XMeshStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this Mesh.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of MeshConditionType for the type of each Condition.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XMeshStatusConditions>[]>;
+            /**
+             * SupportedFeatures is the set of features the Mesh support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha1.XMeshStatusSupportedFeatures>[]>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XMeshStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        export interface XMeshStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+    }
+
+    export namespace v1alpha2 {
+        /**
+         * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+         * listener, it can be used to forward connections on the port specified by the
+         * listener to a set of backends specified by the TCPRoute.
+         */
+        export interface TCPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"TCPRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of TCPRoute.
+         */
+        export interface TCPRouteSpec {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of TCP matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TCPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TCPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of TCPRoute.
+         */
+        export interface TCPRouteSpecPatch {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of TCP matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * TCPRouteRule is the configuration for a given rule.
+         */
+        export interface TCPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Connection rejections must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * connections, then 80% of connections must be rejected instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TCPRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TCPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * TCPRouteRule is the configuration for a given rule.
+         */
+        export interface TCPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Connection rejections must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * connections, then 80% of connections must be rejected instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of TCPRoute.
+         */
+        export interface TCPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteStatusParents>[]>;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TCPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TCPRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha2.TCPRouteStatusParentsParentRef>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TCPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TCPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * The TLSRoute resource is similar to TCPRoute, but can be configured
+         * to match against TLS-specific metadata. This allows more flexibility
+         * in matching streams for a given TLS listener.
+         *
+         * If you need to forward traffic to a single target for a TLS listener, you
+         * could choose to use a TCPRoute with a TLS listener.
+         */
+        export interface TLSRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"TLSRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        export interface TLSRouteSpec {
+            /**
+             * Hostnames defines a set of SNI names that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI names per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of TLS matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TLSRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TLSRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        export interface TLSRouteSpecPatch {
+            /**
+             * Hostnames defines a set of SNI names that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI names per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of TLS matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        export interface TLSRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TLSRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TLSRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        export interface TLSRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        export interface TLSRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteStatusParents>[]>;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TLSRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.TLSRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha2.TLSRouteStatusParentsParentRef>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TLSRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TLSRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+         * listener, it can be used to forward traffic on the port specified by the
+         * listener to a set of backends specified by the UDPRoute.
+         */
+        export interface UDPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha2">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"UDPRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of UDPRoute.
+         */
+        export interface UDPRouteSpec {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of UDP matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface UDPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface UDPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of UDPRoute.
+         */
+        export interface UDPRouteSpecPatch {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of UDP matchers and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * UDPRouteRule is the configuration for a given rule.
+         */
+        export interface UDPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Packet drops must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * the packets, then 80% of packets must be dropped instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface UDPRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface UDPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * UDPRouteRule is the configuration for a given rule.
+         */
+        export interface UDPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Packet drops must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * the packets, then 80% of packets must be dropped instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of UDPRoute.
+         */
+        export interface UDPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteStatusParents>[]>;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface UDPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha2.UDPRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha2.UDPRouteStatusParentsParentRef>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface UDPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface UDPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+    }
+
+    export namespace v1alpha3 {
+        /**
+         * BackendTLSPolicy provides a way to configure how a Gateway
+         * connects to a Backend via TLS.
+         */
+        export interface BackendTLSPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"BackendTLSPolicy">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicyStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicySpec {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefs>[]>;
+            validation?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidation>;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicySpecPatch {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefsPatch>[]>;
+            validation?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationPatch>;
+        }
+
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        export interface BackendTLSPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        export interface BackendTLSPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the target resource.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        export interface BackendTLSPolicySpecValidation {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefs>[]>;
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNames>[]>;
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface BackendTLSPolicySpecValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface BackendTLSPolicySpecValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        export interface BackendTLSPolicySpecValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefsPatch>[]>;
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNamesPatch>[]>;
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates?: pulumi.Input<string>;
+        }
+
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        export interface BackendTLSPolicySpecValidationSubjectAltNames {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri?: pulumi.Input<string>;
+        }
+
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        export interface BackendTLSPolicySpecValidationSubjectAltNamesPatch {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestors>[]>;
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface BackendTLSPolicyStatusAncestors {
+            ancestorRef?: pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsAncestorRef>;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface BackendTLSPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface BackendTLSPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * The TLSRoute resource is similar to TCPRoute, but can be configured
+         * to match against TLS-specific metadata. This allows more flexibility
+         * in matching streams for a given TLS listener.
+         *
+         * If you need to forward traffic to a single target for a TLS listener, you
+         * could choose to use a TCPRoute with a TLS listener.
+         */
+        export interface TLSRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1alpha3">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"TLSRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        export interface TLSRouteSpec {
+            /**
+             * Hostnames defines a set of SNI hostnames that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI hostnames per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one of `test.example.com` or
+             *   `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one hostname that matches the Listener
+             *   hostname. For example, `test.example.com` and `*.example.com` would both
+             *   match. On the other hand, `example.com` and `test.example.net` would not
+             *   match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TLSRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TLSRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        export interface TLSRouteSpecPatch {
+            /**
+             * Hostnames defines a set of SNI hostnames that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI hostnames per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one of `test.example.com` or
+             *   `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one hostname that matches the Listener
+             *   hostname. For example, `test.example.com` and `*.example.com` would both
+             *   match. On the other hand, `example.com` and `test.example.net` would not
+             *   match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        export interface TLSRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TLSRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TLSRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        export interface TLSRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        export interface TLSRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteStatusParents>[]>;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TLSRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1alpha3.TLSRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1alpha3.TLSRouteStatusParentsParentRef>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TLSRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TLSRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+    }
+
+    export namespace v1beta1 {
+        /**
+         * Gateway represents an instance of a service-traffic handling infrastructure
+         * by binding Listeners to a set of IP addresses.
+         */
+        export interface Gateway {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"Gateway">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpec>;
+            status?: pulumi.Input<inputs.gateway.v1beta1.GatewayStatus>;
+        }
+
+        /**
+         * GatewayClass describes a class of Gateways available to the user for creating
+         * Gateway resources.
+         *
+         * It is recommended that this resource be used as a template for Gateways. This
+         * means that a Gateway is based on the state of the GatewayClass at the time it
+         * was created and changes to the GatewayClass or associated parameters are not
+         * propagated down to existing Gateways. This recommendation is intended to
+         * limit the blast radius of changes to GatewayClass or associated parameters.
+         * If implementations choose to propagate GatewayClass changes to existing
+         * Gateways, that MUST be clearly documented by the implementation.
+         *
+         * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+         * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+         * associated GatewayClass. This ensures that a GatewayClass associated with a
+         * Gateway is not deleted while in use.
+         *
+         * GatewayClass is a Cluster level resource.
+         */
+        export interface GatewayClass {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"GatewayClass">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpec>;
+            status?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        export interface GatewayClassSpec {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpecParametersRef>;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewayClassSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewayClassSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        export interface GatewayClassSpecPatch {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName?: pulumi.Input<string>;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description?: pulumi.Input<string>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1beta1.GatewayClassSpecParametersRefPatch>;
+        }
+
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        export interface GatewayClassStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayClassStatusConditions>[]>;
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayClassStatusSupportedFeatures>[]>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayClassStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        export interface GatewayClassStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        export interface GatewaySpec {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAddresses>[]>;
+            allowedListeners?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListeners>;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope?: pulumi.Input<string>;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName?: pulumi.Input<string>;
+            infrastructure?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecInfrastructure>;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListeners>[]>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTls>;
+        }
+
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        export interface GatewaySpecAddresses {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        export interface GatewaySpecAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListeners {
+            namespaces?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespaces>;
+        }
+
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersNamespaces {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelector>;
+        }
+
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesPatch {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorPatch>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersPatch {
+            namespaces?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesPatch>;
+        }
+
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecInfrastructure {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecInfrastructureParametersRef>;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewaySpecInfrastructureParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewaySpecInfrastructureParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecInfrastructurePatch {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            parametersRef?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecInfrastructureParametersRefPatch>;
+        }
+
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        export interface GatewaySpecListeners {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutes>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersTls>;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKinds>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespaces>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewaySpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewaySpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelector>;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<string>;
+            selector?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key?: pulumi.Input<string>;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator?: pulumi.Input<string>;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch>[]>;
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKindsPatch>[]>;
+            namespaces?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesPatch>;
+        }
+
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        export interface GatewaySpecListenersPatch {
+            allowedRoutes?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesPatch>;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol?: pulumi.Input<string>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersTlsPatch>;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefs>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefsPatch>[]>;
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+        }
+
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        export interface GatewaySpecPatch {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAddressesPatch>[]>;
+            allowedListeners?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecAllowedListenersPatch>;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope?: pulumi.Input<string>;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName?: pulumi.Input<string>;
+            infrastructure?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecInfrastructurePatch>;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecListenersPatch>[]>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsPatch>;
+        }
+
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecTls {
+            backend?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsBackend>;
+            frontend?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontend>;
+        }
+
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackend {
+            clientCertificateRef?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRef>;
+        }
+
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendClientCertificateRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendClientCertificateRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendPatch {
+            clientCertificateRef?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRefPatch>;
+        }
+
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontend {
+            default?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefault>;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPort>[]>;
+        }
+
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefault {
+            validation?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidation>;
+        }
+
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultPatch {
+            validation?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationPatch>;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPatch {
+            default?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultPatch>;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortPatch>[]>;
+        }
+
+        export interface GatewaySpecTlsFrontendPerPort {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTls>;
+        }
+
+        export interface GatewaySpecTlsFrontendPerPortPatch {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port?: pulumi.Input<number>;
+            tls?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsPatch>;
+        }
+
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTls {
+            validation?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidation>;
+        }
+
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsPatch {
+            validation?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationPatch>;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch>[]>;
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode?: pulumi.Input<string>;
+        }
+
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecTlsPatch {
+            backend?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsBackendPatch>;
+            frontend?: pulumi.Input<inputs.gateway.v1beta1.GatewaySpecTlsFrontendPatch>;
+        }
+
+        /**
+         * Status defines the current state of Gateway.
+         */
+        export interface GatewayStatus {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusAddresses>[]>;
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusConditions>[]>;
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusListeners>[]>;
+        }
+
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        export interface GatewayStatusAddresses {
+            /**
+             * Type of the address.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface GatewayStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes?: pulumi.Input<number>;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusListenersConditions>[]>;
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.GatewayStatusListenersSupportedKinds>[]>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewayStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRoute provides a way to route HTTP requests. This includes the capability
+         * to match requests by hostname, path, header, or query param. Filters can be
+         * used to specify additional processing steps. Backends specify where matching
+         * requests should be routed.
+         */
+        export interface HTTPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"HTTPRoute">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpec>;
+            status?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteStatus>;
+        }
+
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        export interface HTTPRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecParentRefs>[]>;
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRules>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface HTTPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface HTTPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        export interface HTTPRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecParentRefsPatch>[]>;
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesPatch>[]>;
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface HTTPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefs>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFilters>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatches>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            retry?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesRetry>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistence>;
+            timeouts?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesTimeouts>;
+        }
+
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface HTTPRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFilters>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFilters {
+            cors?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCors>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite>;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody>;
+            grpc?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc>;
+            http?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch>;
+            grpc?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch>;
+            http?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersPatch {
+            cors?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath>;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch>;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersPatch>[]>;
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight?: pulumi.Input<number>;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesFilters {
+            cors?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCors>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRef>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuth>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifier>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirror>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirect>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifier>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewrite>;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials?: pulumi.Input<boolean>;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge?: pulumi.Input<number>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuth {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody>;
+            grpc?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpc>;
+            http?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttp>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize?: pulumi.Input<number>;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path?: pulumi.Input<string>;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch>;
+            forwardBody?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch>;
+            grpc?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch>;
+            http?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch>;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesFiltersPatch {
+            cors?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCorsPatch>;
+            extensionRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRefPatch>;
+            externalAuth?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthPatch>;
+            requestHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch>;
+            requestMirror?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorPatch>;
+            requestRedirect?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPatch>;
+            responseHeaderModifier?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch>;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+            urlRewrite?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePatch>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirror {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef>;
+            fraction?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFraction>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator?: pulumi.Input<number>;
+            numerator?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch>;
+            fraction?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch>;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPath>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPathPatch>;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme?: pulumi.Input<string>;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode?: pulumi.Input<number>;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSet>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch>[]>;
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch>[]>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePath>;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePathPatch>;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath?: pulumi.Input<string>;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch?: pulumi.Input<string>;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        export interface HTTPRouteSpecRulesMatches {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesHeaders>[]>;
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPath>;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParams>[]>;
+        }
+
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        export interface HTTPRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        export interface HTTPRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        export interface HTTPRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesHeadersPatch>[]>;
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method?: pulumi.Input<string>;
+            path?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPathPatch>;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParamsPatch>[]>;
+        }
+
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        export interface HTTPRouteSpecRulesMatchesPath {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        export interface HTTPRouteSpecRulesMatchesPathPatch {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        export interface HTTPRouteSpecRulesMatchesQueryParams {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        export interface HTTPRouteSpecRulesMatchesQueryParamsPatch {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type?: pulumi.Input<string>;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value?: pulumi.Input<string>;
+        }
+
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface HTTPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsPatch>[]>;
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersPatch>[]>;
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPatch>[]>;
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name?: pulumi.Input<string>;
+            retry?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesRetryPatch>;
+            sessionPersistence?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistencePatch>;
+            timeouts?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesTimeoutsPatch>;
+        }
+
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesRetry {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts?: pulumi.Input<number>;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff?: pulumi.Input<string>;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes?: pulumi.Input<pulumi.Input<number>[]>;
+        }
+
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesRetryPatch {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts?: pulumi.Input<number>;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff?: pulumi.Input<string>;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes?: pulumi.Input<pulumi.Input<number>[]>;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistenceCookieConfig>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType?: pulumi.Input<string>;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout?: pulumi.Input<string>;
+            cookieConfig?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch>;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout?: pulumi.Input<string>;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName?: pulumi.Input<string>;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesTimeouts {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest?: pulumi.Input<string>;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request?: pulumi.Input<string>;
+        }
+
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesTimeoutsPatch {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest?: pulumi.Input<string>;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request?: pulumi.Input<string>;
+        }
+
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        export interface HTTPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteStatusParents>[]>;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface HTTPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.HTTPRouteStatusParentsConditions>[]>;
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName?: pulumi.Input<string>;
+            parentRef?: pulumi.Input<inputs.gateway.v1beta1.HTTPRouteStatusParentsParentRef>;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface HTTPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime?: pulumi.Input<string>;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message?: pulumi.Input<string>;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration?: pulumi.Input<number>;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason?: pulumi.Input<string>;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status?: pulumi.Input<string>;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type?: pulumi.Input<string>;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface HTTPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port?: pulumi.Input<number>;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName?: pulumi.Input<string>;
+        }
+
+        /**
+         * ReferenceGrant identifies kinds of resources in other namespaces that are
+         * trusted to reference the specified kinds of resources in the same namespace
+         * as the policy.
+         *
+         * Each ReferenceGrant can be used to represent a unique trust relationship.
+         * Additional Reference Grants can be used to add to the set of trusted
+         * sources of inbound references for the namespace they are defined within.
+         *
+         * All cross-namespace references in Gateway API (with the exception of cross-namespace
+         * Gateway-route attachment) require a ReferenceGrant.
+         *
+         * ReferenceGrant is a form of runtime verification allowing users to assert
+         * which cross-namespace object references are permitted. Implementations that
+         * support ReferenceGrant MUST NOT permit cross-namespace references which have
+         * no grant, and MUST respond to the removal of a grant by revoking the access
+         * that the grant allowed.
+         */
+        export interface ReferenceGrant {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion?: pulumi.Input<"gateway.networking.k8s.io/v1beta1">;
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<"ReferenceGrant">;
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata?: pulumi.Input<inputs.meta.v1.ObjectMeta>;
+            spec?: pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpec>;
+        }
+
+        /**
+         * Spec defines the desired state of ReferenceGrant.
+         */
+        export interface ReferenceGrantSpec {
+            /**
+             * From describes the trusted namespaces and kinds that can reference the
+             * resources described in "To". Each entry in this list MUST be considered
+             * to be an additional place that references can be valid from, or to put
+             * this another way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecFrom>[]>;
+            /**
+             * To describes the resources that may be referenced by the resources
+             * described in "From". Each entry in this list MUST be considered to be an
+             * additional place that references can be valid to, or to put this another
+             * way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            to?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecTo>[]>;
+        }
+
+        /**
+         * ReferenceGrantFrom describes trusted namespaces and kinds.
+         */
+        export interface ReferenceGrantSpecFrom {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field.
+             *
+             * When used to permit a SecretObjectReference:
+             *
+             * * Gateway
+             *
+             * When used to permit a BackendObjectReference:
+             *
+             * * GRPCRoute
+             * * HTTPRoute
+             * * TCPRoute
+             * * TLSRoute
+             * * UDPRoute
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * ReferenceGrantFrom describes trusted namespaces and kinds.
+         */
+        export interface ReferenceGrantSpecFromPatch {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field.
+             *
+             * When used to permit a SecretObjectReference:
+             *
+             * * Gateway
+             *
+             * When used to permit a BackendObjectReference:
+             *
+             * * GRPCRoute
+             * * HTTPRoute
+             * * TCPRoute
+             * * TLSRoute
+             * * UDPRoute
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Namespace is the namespace of the referent.
+             *
+             * Support: Core
+             */
+            namespace?: pulumi.Input<string>;
+        }
+
+        /**
+         * Spec defines the desired state of ReferenceGrant.
+         */
+        export interface ReferenceGrantSpecPatch {
+            /**
+             * From describes the trusted namespaces and kinds that can reference the
+             * resources described in "To". Each entry in this list MUST be considered
+             * to be an additional place that references can be valid from, or to put
+             * this another way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            from?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecFromPatch>[]>;
+            /**
+             * To describes the resources that may be referenced by the resources
+             * described in "From". Each entry in this list MUST be considered to be an
+             * additional place that references can be valid to, or to put this another
+             * way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            to?: pulumi.Input<pulumi.Input<inputs.gateway.v1beta1.ReferenceGrantSpecToPatch>[]>;
+        }
+
+        /**
+         * ReferenceGrantTo describes what Kinds are allowed as targets of the
+         * references.
+         */
+        export interface ReferenceGrantSpecTo {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field:
+             *
+             * * Secret when used to permit a SecretObjectReference
+             * * Service when used to permit a BackendObjectReference
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent. When unspecified, this policy
+             * refers to all resources of the specified Group and Kind in the local
+             * namespace.
+             */
+            name?: pulumi.Input<string>;
+        }
+
+        /**
+         * ReferenceGrantTo describes what Kinds are allowed as targets of the
+         * references.
+         */
+        export interface ReferenceGrantSpecToPatch {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group?: pulumi.Input<string>;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field:
+             *
+             * * Secret when used to permit a SecretObjectReference
+             * * Service when used to permit a BackendObjectReference
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name is the name of the referent. When unspecified, this policy
+             * refers to all resources of the specified Group and Kind in the local
+             * namespace.
+             */
+            name?: pulumi.Input<string>;
+        }
+    }
+}
+
+export namespace meta {
+    export namespace v1 {
+        /**
+         * ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
+         */
+        export interface ListMeta {
+            /**
+             * continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.
+             */
+            continue?: pulumi.Input<string>;
+            /**
+             * remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.
+             */
+            remainingItemCount?: pulumi.Input<number>;
+            /**
+             * String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion?: pulumi.Input<string>;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink?: pulumi.Input<string>;
+        }
+
+        /**
+         * ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.
+         */
+        export interface ManagedFieldsEntry {
+            /**
+             * APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.
+             */
+            apiVersion?: pulumi.Input<string>;
+            /**
+             * FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"
+             */
+            fieldsType?: pulumi.Input<string>;
+            /**
+             * FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+             */
+            fieldsV1?: any;
+            /**
+             * Manager is an identifier of the workflow managing these fields.
+             */
+            manager?: pulumi.Input<string>;
+            /**
+             * Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.
+             */
+            operation?: pulumi.Input<string>;
+            /**
+             * Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.
+             */
+            subresource?: pulumi.Input<string>;
+            /**
+             * Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.
+             */
+            time?: pulumi.Input<string>;
+        }
+
+        /**
+         * ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.
+         */
+        export interface ManagedFieldsEntryPatch {
+            /**
+             * APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.
+             */
+            apiVersion?: pulumi.Input<string>;
+            /**
+             * FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"
+             */
+            fieldsType?: pulumi.Input<string>;
+            /**
+             * FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+             */
+            fieldsV1?: any;
+            /**
+             * Manager is an identifier of the workflow managing these fields.
+             */
+            manager?: pulumi.Input<string>;
+            /**
+             * Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.
+             */
+            operation?: pulumi.Input<string>;
+            /**
+             * Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.
+             */
+            subresource?: pulumi.Input<string>;
+            /**
+             * Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.
+             */
+            time?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
+         */
+        export interface ObjectMeta {
+            /**
+             * Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+             *
+             * Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            creationTimestamp?: pulumi.Input<string>;
+            /**
+             * Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
+             */
+            deletionGracePeriodSeconds?: pulumi.Input<number>;
+            /**
+             * DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+             *
+             * Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            deletionTimestamp?: pulumi.Input<string>;
+            /**
+             * Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
+             */
+            finalizers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+             *
+             * If this field is specified and the generated name exists, the server will return a 409.
+             *
+             * Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+             */
+            generateName?: pulumi.Input<string>;
+            /**
+             * A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
+             */
+            generation?: pulumi.Input<number>;
+            /**
+             * Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+             */
+            managedFields?: pulumi.Input<pulumi.Input<inputs.meta.v1.ManagedFieldsEntry>[]>;
+            /**
+             * Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+             *
+             * Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
+             */
+            ownerReferences?: pulumi.Input<pulumi.Input<inputs.meta.v1.OwnerReference>[]>;
+            /**
+             * An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+             *
+             * Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion?: pulumi.Input<string>;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink?: pulumi.Input<string>;
+            /**
+             * UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+             *
+             * Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid?: pulumi.Input<string>;
+        }
+
+        /**
+         * ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
+         */
+        export interface ObjectMetaPatch {
+            /**
+             * Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+             */
+            annotations?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+             *
+             * Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            creationTimestamp?: pulumi.Input<string>;
+            /**
+             * Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
+             */
+            deletionGracePeriodSeconds?: pulumi.Input<number>;
+            /**
+             * DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+             *
+             * Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            deletionTimestamp?: pulumi.Input<string>;
+            /**
+             * Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
+             */
+            finalizers?: pulumi.Input<pulumi.Input<string>[]>;
+            /**
+             * GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+             *
+             * If this field is specified and the generated name exists, the server will return a 409.
+             *
+             * Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+             */
+            generateName?: pulumi.Input<string>;
+            /**
+             * A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
+             */
+            generation?: pulumi.Input<number>;
+            /**
+             * Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+             */
+            labels?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
+            /**
+             * ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+             */
+            managedFields?: pulumi.Input<pulumi.Input<inputs.meta.v1.ManagedFieldsEntryPatch>[]>;
+            /**
+             * Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+             *
+             * Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+             */
+            namespace?: pulumi.Input<string>;
+            /**
+             * List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
+             */
+            ownerReferences?: pulumi.Input<pulumi.Input<inputs.meta.v1.OwnerReferencePatch>[]>;
+            /**
+             * An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+             *
+             * Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion?: pulumi.Input<string>;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink?: pulumi.Input<string>;
+            /**
+             * UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+             *
+             * Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid?: pulumi.Input<string>;
+        }
+
+        /**
+         * OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.
+         */
+        export interface OwnerReference {
+            /**
+             * API version of the referent.
+             */
+            apiVersion: pulumi.Input<string>;
+            /**
+             * If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.
+             */
+            blockOwnerDeletion?: pulumi.Input<boolean>;
+            /**
+             * If true, this reference points to the managing controller.
+             */
+            controller?: pulumi.Input<boolean>;
+            /**
+             * Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: pulumi.Input<string>;
+            /**
+             * Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: pulumi.Input<string>;
+            /**
+             * UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: pulumi.Input<string>;
+        }
+
+        /**
+         * OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.
+         */
+        export interface OwnerReferencePatch {
+            /**
+             * API version of the referent.
+             */
+            apiVersion?: pulumi.Input<string>;
+            /**
+             * If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.
+             */
+            blockOwnerDeletion?: pulumi.Input<boolean>;
+            /**
+             * If true, this reference points to the managing controller.
+             */
+            controller?: pulumi.Input<boolean>;
+            /**
+             * Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind?: pulumi.Input<string>;
+            /**
+             * Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name?: pulumi.Input<string>;
+            /**
+             * UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid?: pulumi.Input<string>;
+        }
+
+    }
+}
diff --git a/generated/crds/types/output.d.ts b/generated/crds/types/output.d.ts
new file mode 100644
index 0000000..16baf81
--- /dev/null
+++ b/generated/crds/types/output.d.ts
@@ -0,0 +1,51658 @@
+import * as outputs from "../types/output";
+export declare namespace acme {
+    namespace v1 {
+        /**
+         * Challenge is a type to represent a Challenge request with an ACME server
+         */
+        interface Challenge {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "acme.cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Challenge";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.acme.v1.ChallengeSpec;
+            status: outputs.acme.v1.ChallengeStatus;
+        }
+        interface ChallengeSpec {
+            /**
+             * The URL to the ACME Authorization resource that this
+             * challenge is a part of.
+             */
+            authorizationURL: string;
+            /**
+             * dnsName is the identifier that this challenge is for, e.g., example.com.
+             * If the requested DNSName is a 'wildcard', this field MUST be set to the
+             * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
+             */
+            dnsName: string;
+            issuerRef: outputs.acme.v1.ChallengeSpecIssuerRef;
+            /**
+             * The ACME challenge key for this challenge
+             * For HTTP01 challenges, this is the value that must be responded with to
+             * complete the HTTP01 challenge in the format:
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`.
+             * For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`
+             * text that must be set as the TXT record content.
+             */
+            key: string;
+            solver: outputs.acme.v1.ChallengeSpecSolver;
+            /**
+             * The ACME challenge token for this challenge.
+             * This is the raw value returned from the ACME server.
+             */
+            token: string;
+            /**
+             * The type of ACME challenge this resource represents.
+             * One of "HTTP-01" or "DNS-01".
+             */
+            type: string;
+            /**
+             * The URL of the ACME Challenge resource for this challenge.
+             * This can be used to lookup details about the status of this challenge.
+             */
+            url: string;
+            /**
+             * wildcard will be true if this challenge is for a wildcard identifier,
+             * for example '*.example.com'.
+             */
+            wildcard: boolean;
+        }
+        /**
+         * References a properly configured ACME-type Issuer which should
+         * be used to create this Challenge.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Challenge will be marked as failed.
+         */
+        interface ChallengeSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+        /**
+         * References a properly configured ACME-type Issuer which should
+         * be used to create this Challenge.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Challenge will be marked as failed.
+         */
+        interface ChallengeSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+        interface ChallengeSpecPatch {
+            /**
+             * The URL to the ACME Authorization resource that this
+             * challenge is a part of.
+             */
+            authorizationURL: string;
+            /**
+             * dnsName is the identifier that this challenge is for, e.g., example.com.
+             * If the requested DNSName is a 'wildcard', this field MUST be set to the
+             * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
+             */
+            dnsName: string;
+            issuerRef: outputs.acme.v1.ChallengeSpecIssuerRefPatch;
+            /**
+             * The ACME challenge key for this challenge
+             * For HTTP01 challenges, this is the value that must be responded with to
+             * complete the HTTP01 challenge in the format:
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`.
+             * For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`
+             * text that must be set as the TXT record content.
+             */
+            key: string;
+            solver: outputs.acme.v1.ChallengeSpecSolverPatch;
+            /**
+             * The ACME challenge token for this challenge.
+             * This is the raw value returned from the ACME server.
+             */
+            token: string;
+            /**
+             * The type of ACME challenge this resource represents.
+             * One of "HTTP-01" or "DNS-01".
+             */
+            type: string;
+            /**
+             * The URL of the ACME Challenge resource for this challenge.
+             * This can be used to lookup details about the status of this challenge.
+             */
+            url: string;
+            /**
+             * wildcard will be true if this challenge is for a wildcard identifier,
+             * for example '*.example.com'.
+             */
+            wildcard: boolean;
+        }
+        /**
+         * Contains the domain solving configuration that should be used to
+         * solve this challenge resource.
+         */
+        interface ChallengeSpecSolver {
+            dns01: outputs.acme.v1.ChallengeSpecSolverDns01;
+            http01: outputs.acme.v1.ChallengeSpecSolverHttp01;
+            selector: outputs.acme.v1.ChallengeSpecSolverSelector;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface ChallengeSpecSolverDns01 {
+            acmeDNS: outputs.acme.v1.ChallengeSpecSolverDns01AcmeDNS;
+            akamai: outputs.acme.v1.ChallengeSpecSolverDns01Akamai;
+            azureDNS: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNS;
+            cloudDNS: outputs.acme.v1.ChallengeSpecSolverDns01CloudDNS;
+            cloudflare: outputs.acme.v1.ChallengeSpecSolverDns01Cloudflare;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.acme.v1.ChallengeSpecSolverDns01Digitalocean;
+            rfc2136: outputs.acme.v1.ChallengeSpecSolverDns01Rfc2136;
+            route53: outputs.acme.v1.ChallengeSpecSolverDns01Route53;
+            webhook: outputs.acme.v1.ChallengeSpecSolverDns01Webhook;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AcmeDNS {
+            accountSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSAccountSecretRef;
+            host: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AcmeDNSPatch {
+            accountSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSAccountSecretRefPatch;
+            host: string;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Akamai {
+            accessTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiAccessTokenSecretRef;
+            clientSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientSecretSecretRef;
+            clientTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientTokenSecretRef;
+            serviceConsumerDomain: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AkamaiPatch {
+            accessTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiAccessTokenSecretRefPatch;
+            clientSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientSecretSecretRefPatch;
+            clientTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientTokenSecretRefPatch;
+            serviceConsumerDomain: string;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSClientSecretSecretRef;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSManagedIdentity;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSClientSecretSecretRefPatch;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRef;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRefPatch;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Cloudflare {
+            apiKeySecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiKeySecretRef;
+            apiTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiTokenSecretRef;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface ChallengeSpecSolverDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface ChallengeSpecSolverDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface ChallengeSpecSolverDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface ChallengeSpecSolverDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01CloudflarePatch {
+            apiKeySecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiKeySecretRefPatch;
+            apiTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiTokenSecretRefPatch;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Digitalocean {
+            tokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanTokenSecretRef;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01DigitaloceanPatch {
+            tokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanTokenSecretRefPatch;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ChallengeSpecSolverDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface ChallengeSpecSolverDns01Patch {
+            acmeDNS: outputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSPatch;
+            akamai: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiPatch;
+            azureDNS: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSPatch;
+            cloudDNS: outputs.acme.v1.ChallengeSpecSolverDns01CloudDNSPatch;
+            cloudflare: outputs.acme.v1.ChallengeSpecSolverDns01CloudflarePatch;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanPatch;
+            rfc2136: outputs.acme.v1.ChallengeSpecSolverDns01Rfc2136Patch;
+            route53: outputs.acme.v1.ChallengeSpecSolverDns01Route53Patch;
+            webhook: outputs.acme.v1.ChallengeSpecSolverDns01WebhookPatch;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRef;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRefPatch;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef;
+            auth: outputs.acme.v1.ChallengeSpecSolverDns01Route53Auth;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53SecretAccessKeySecretRef;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface ChallengeSpecSolverDns01Route53Auth {
+            kubernetes: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetes;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthKubernetes {
+            serviceAccountRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRef;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthKubernetesPatch {
+            serviceAccountRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRefPatch;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface ChallengeSpecSolverDns01Route53AuthPatch {
+            kubernetes: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesPatch;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch;
+            auth: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthPatch;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53SecretAccessKeySecretRefPatch;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ChallengeSpecSolverDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ChallengeSpecSolverDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {
+                [key: string]: any;
+            };
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface ChallengeSpecSolverDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {
+                [key: string]: any;
+            };
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface ChallengeSpecSolverHttp01 {
+            gatewayHTTPRoute: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoute;
+            ingress: outputs.acme.v1.ChallengeSpecSolverHttp01Ingress;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {
+                [key: string]: string;
+            };
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs[];
+            podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {
+                [key: string]: string;
+            };
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch[];
+            podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata;
+            spec: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch;
+            spec: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources;
+            securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch;
+            securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[];
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[];
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface ChallengeSpecSolverHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplate;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01IngressIngressTemplate {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplateMetadata;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01IngressIngressTemplatePatch {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplateMetadataPatch;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface ChallengeSpecSolverHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplatePatch;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplate {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateMetadata;
+            spec: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpec;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplatePatch {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch;
+            spec: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecPatch;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpec {
+            affinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResources;
+            securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerations[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinity;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecPatch {
+            affinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch;
+            securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch[];
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls[];
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface ChallengeSpecSolverHttp01Patch {
+            gatewayHTTPRoute: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePatch;
+            ingress: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPatch;
+        }
+        /**
+         * Contains the domain solving configuration that should be used to
+         * solve this challenge resource.
+         */
+        interface ChallengeSpecSolverPatch {
+            dns01: outputs.acme.v1.ChallengeSpecSolverDns01Patch;
+            http01: outputs.acme.v1.ChallengeSpecSolverHttp01Patch;
+            selector: outputs.acme.v1.ChallengeSpecSolverSelectorPatch;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface ChallengeSpecSolverSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface ChallengeSpecSolverSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        interface ChallengeStatus {
+            /**
+             * presented will be set to true if the challenge values for this challenge
+             * are currently 'presented'.
+             * This *does not* imply the self check is passing. Only that the values
+             * have been 'submitted' for the appropriate challenge mechanism (i.e. the
+             * DNS01 TXT record has been presented, or the HTTP01 configuration has been
+             * configured).
+             */
+            presented: boolean;
+            /**
+             * Used to denote whether this challenge should be processed or not.
+             * This field will only be set to true by the 'scheduling' component.
+             * It will only be set to false by the 'challenges' controller, after the
+             * challenge has reached a final state or timed out.
+             * If this field is set to false, the challenge controller will not take
+             * any more action.
+             */
+            processing: boolean;
+            /**
+             * Contains human readable information on why the Challenge is in the
+             * current state.
+             */
+            reason: string;
+            /**
+             * Contains the current 'state' of the challenge.
+             * If not set, the state of the challenge is unknown.
+             */
+            state: string;
+        }
+        interface ChallengeStatusPatch {
+            /**
+             * presented will be set to true if the challenge values for this challenge
+             * are currently 'presented'.
+             * This *does not* imply the self check is passing. Only that the values
+             * have been 'submitted' for the appropriate challenge mechanism (i.e. the
+             * DNS01 TXT record has been presented, or the HTTP01 configuration has been
+             * configured).
+             */
+            presented: boolean;
+            /**
+             * Used to denote whether this challenge should be processed or not.
+             * This field will only be set to true by the 'scheduling' component.
+             * It will only be set to false by the 'challenges' controller, after the
+             * challenge has reached a final state or timed out.
+             * If this field is set to false, the challenge controller will not take
+             * any more action.
+             */
+            processing: boolean;
+            /**
+             * Contains human readable information on why the Challenge is in the
+             * current state.
+             */
+            reason: string;
+            /**
+             * Contains the current 'state' of the challenge.
+             * If not set, the state of the challenge is unknown.
+             */
+            state: string;
+        }
+        /**
+         * Order is a type to represent an Order with an ACME server
+         */
+        interface Order {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "acme.cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Order";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.acme.v1.OrderSpec;
+            status: outputs.acme.v1.OrderStatus;
+        }
+        interface OrderSpec {
+            /**
+             * CommonName is the common name as specified on the DER encoded CSR.
+             * If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            commonName: string;
+            /**
+             * DNSNames is a list of DNS names that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            dnsNames: string[];
+            /**
+             * Duration is the duration for the not after date for the requested certificate.
+             * this is set on order creation as pe the ACME spec.
+             */
+            duration: string;
+            /**
+             * IPAddresses is a list of IP addresses that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            ipAddresses: string[];
+            issuerRef: outputs.acme.v1.OrderSpecIssuerRef;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Certificate signing request bytes in DER encoding.
+             * This will be used when finalizing the order.
+             * This field must be set on the order.
+             */
+            request: string;
+        }
+        /**
+         * IssuerRef references a properly configured ACME-type Issuer which should
+         * be used to create this Order.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Order will be marked as failed.
+         */
+        interface OrderSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+        /**
+         * IssuerRef references a properly configured ACME-type Issuer which should
+         * be used to create this Order.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Order will be marked as failed.
+         */
+        interface OrderSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+        interface OrderSpecPatch {
+            /**
+             * CommonName is the common name as specified on the DER encoded CSR.
+             * If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            commonName: string;
+            /**
+             * DNSNames is a list of DNS names that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            dnsNames: string[];
+            /**
+             * Duration is the duration for the not after date for the requested certificate.
+             * this is set on order creation as pe the ACME spec.
+             */
+            duration: string;
+            /**
+             * IPAddresses is a list of IP addresses that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            ipAddresses: string[];
+            issuerRef: outputs.acme.v1.OrderSpecIssuerRefPatch;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Certificate signing request bytes in DER encoding.
+             * This will be used when finalizing the order.
+             * This field must be set on the order.
+             */
+            request: string;
+        }
+        interface OrderStatus {
+            /**
+             * Authorizations contains data returned from the ACME server on what
+             * authorizations must be completed in order to validate the DNS names
+             * specified on the Order.
+             */
+            authorizations: outputs.acme.v1.OrderStatusAuthorizations[];
+            /**
+             * Certificate is a copy of the PEM encoded certificate for this Order.
+             * This field will be populated after the order has been successfully
+             * finalized with the ACME server, and the order has transitioned to the
+             * 'valid' state.
+             */
+            certificate: string;
+            /**
+             * FailureTime stores the time that this order failed.
+             * This is used to influence garbage collection and back-off.
+             */
+            failureTime: string;
+            /**
+             * FinalizeURL of the Order.
+             * This is used to obtain certificates for this order once it has been completed.
+             */
+            finalizeURL: string;
+            /**
+             * Reason optionally provides more information about a why the order is in
+             * the current state.
+             */
+            reason: string;
+            /**
+             * State contains the current state of this Order resource.
+             * States 'success' and 'expired' are 'final'
+             */
+            state: string;
+            /**
+             * URL of the Order.
+             * This will initially be empty when the resource is first created.
+             * The Order controller will populate this field when the Order is first processed.
+             * This field will be immutable after it is initially set.
+             */
+            url: string;
+        }
+        /**
+         * ACMEAuthorization contains data returned from the ACME server on an
+         * authorization that must be completed in order validate a DNS name on an ACME
+         * Order resource.
+         */
+        interface OrderStatusAuthorizations {
+            /**
+             * Challenges specifies the challenge types offered by the ACME server.
+             * One of these challenge types will be selected when validating the DNS
+             * name and an appropriate Challenge resource will be created to perform
+             * the ACME challenge process.
+             */
+            challenges: outputs.acme.v1.OrderStatusAuthorizationsChallenges[];
+            /**
+             * Identifier is the DNS name to be validated as part of this authorization
+             */
+            identifier: string;
+            /**
+             * InitialState is the initial state of the ACME authorization when first
+             * fetched from the ACME server.
+             * If an Authorization is already 'valid', the Order controller will not
+             * create a Challenge resource for the authorization. This will occur when
+             * working with an ACME server that enables 'authz reuse' (such as Let's
+             * Encrypt's production endpoint).
+             * If not set and 'identifier' is set, the state is assumed to be pending
+             * and a Challenge will be created.
+             */
+            initialState: string;
+            /**
+             * URL is the URL of the Authorization that must be completed
+             */
+            url: string;
+            /**
+             * Wildcard will be true if this authorization is for a wildcard DNS name.
+             * If this is true, the identifier will be the *non-wildcard* version of
+             * the DNS name.
+             * For example, if '*.example.com' is the DNS name being validated, this
+             * field will be 'true' and the 'identifier' field will be 'example.com'.
+             */
+            wildcard: boolean;
+        }
+        /**
+         * Challenge specifies a challenge offered by the ACME server for an Order.
+         * An appropriate Challenge resource can be created to perform the ACME
+         * challenge process.
+         */
+        interface OrderStatusAuthorizationsChallenges {
+            /**
+             * Token is the token that must be presented for this challenge.
+             * This is used to compute the 'key' that must also be presented.
+             */
+            token: string;
+            /**
+             * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01',
+             * 'tls-sni-01', etc.
+             * This is the raw value retrieved from the ACME server.
+             * Only 'http-01' and 'dns-01' are supported by cert-manager, other values
+             * will be ignored.
+             */
+            type: string;
+            /**
+             * URL is the URL of this challenge. It can be used to retrieve additional
+             * metadata about the Challenge from the ACME server.
+             */
+            url: string;
+        }
+        /**
+         * Challenge specifies a challenge offered by the ACME server for an Order.
+         * An appropriate Challenge resource can be created to perform the ACME
+         * challenge process.
+         */
+        interface OrderStatusAuthorizationsChallengesPatch {
+            /**
+             * Token is the token that must be presented for this challenge.
+             * This is used to compute the 'key' that must also be presented.
+             */
+            token: string;
+            /**
+             * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01',
+             * 'tls-sni-01', etc.
+             * This is the raw value retrieved from the ACME server.
+             * Only 'http-01' and 'dns-01' are supported by cert-manager, other values
+             * will be ignored.
+             */
+            type: string;
+            /**
+             * URL is the URL of this challenge. It can be used to retrieve additional
+             * metadata about the Challenge from the ACME server.
+             */
+            url: string;
+        }
+        /**
+         * ACMEAuthorization contains data returned from the ACME server on an
+         * authorization that must be completed in order validate a DNS name on an ACME
+         * Order resource.
+         */
+        interface OrderStatusAuthorizationsPatch {
+            /**
+             * Challenges specifies the challenge types offered by the ACME server.
+             * One of these challenge types will be selected when validating the DNS
+             * name and an appropriate Challenge resource will be created to perform
+             * the ACME challenge process.
+             */
+            challenges: outputs.acme.v1.OrderStatusAuthorizationsChallengesPatch[];
+            /**
+             * Identifier is the DNS name to be validated as part of this authorization
+             */
+            identifier: string;
+            /**
+             * InitialState is the initial state of the ACME authorization when first
+             * fetched from the ACME server.
+             * If an Authorization is already 'valid', the Order controller will not
+             * create a Challenge resource for the authorization. This will occur when
+             * working with an ACME server that enables 'authz reuse' (such as Let's
+             * Encrypt's production endpoint).
+             * If not set and 'identifier' is set, the state is assumed to be pending
+             * and a Challenge will be created.
+             */
+            initialState: string;
+            /**
+             * URL is the URL of the Authorization that must be completed
+             */
+            url: string;
+            /**
+             * Wildcard will be true if this authorization is for a wildcard DNS name.
+             * If this is true, the identifier will be the *non-wildcard* version of
+             * the DNS name.
+             * For example, if '*.example.com' is the DNS name being validated, this
+             * field will be 'true' and the 'identifier' field will be 'example.com'.
+             */
+            wildcard: boolean;
+        }
+        interface OrderStatusPatch {
+            /**
+             * Authorizations contains data returned from the ACME server on what
+             * authorizations must be completed in order to validate the DNS names
+             * specified on the Order.
+             */
+            authorizations: outputs.acme.v1.OrderStatusAuthorizationsPatch[];
+            /**
+             * Certificate is a copy of the PEM encoded certificate for this Order.
+             * This field will be populated after the order has been successfully
+             * finalized with the ACME server, and the order has transitioned to the
+             * 'valid' state.
+             */
+            certificate: string;
+            /**
+             * FailureTime stores the time that this order failed.
+             * This is used to influence garbage collection and back-off.
+             */
+            failureTime: string;
+            /**
+             * FinalizeURL of the Order.
+             * This is used to obtain certificates for this order once it has been completed.
+             */
+            finalizeURL: string;
+            /**
+             * Reason optionally provides more information about a why the order is in
+             * the current state.
+             */
+            reason: string;
+            /**
+             * State contains the current state of this Order resource.
+             * States 'success' and 'expired' are 'final'
+             */
+            state: string;
+            /**
+             * URL of the Order.
+             * This will initially be empty when the resource is first created.
+             * The Order controller will populate this field when the Order is first processed.
+             * This field will be immutable after it is initially set.
+             */
+            url: string;
+        }
+    }
+}
+export declare namespace cert_manager {
+    namespace v1 {
+        /**
+         * A Certificate resource should be created to ensure an up to date and signed
+         * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+         *
+         * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+         */
+        interface Certificate {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Certificate";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.cert_manager.v1.CertificateSpec;
+            status: outputs.cert_manager.v1.CertificateStatus;
+        }
+        /**
+         * A CertificateRequest is used to request a signed certificate from one of the
+         * configured issuers.
+         *
+         * All fields within the CertificateRequest's `spec` are immutable after creation.
+         * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+         * condition and its `status.failureTime` field.
+         *
+         * A CertificateRequest is a one-shot resource, meaning it represents a single
+         * point in time request for a certificate and cannot be re-used.
+         */
+        interface CertificateRequest {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "CertificateRequest";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.cert_manager.v1.CertificateRequestSpec;
+            status: outputs.cert_manager.v1.CertificateRequestStatus;
+        }
+        /**
+         * Specification of the desired state of the CertificateRequest resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateRequestSpec {
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             */
+            duration: string;
+            /**
+             * Extra contains extra attributes of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            extra: {
+                [key: string]: string[];
+            };
+            /**
+             * Groups contains group membership of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            groups: string[];
+            /**
+             * Requested basic constraints isCA value. Note that the issuer may choose
+             * to ignore the requested isCA value, just like any other requested attribute.
+             *
+             * NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+             * it must have the same isCA value as specified here.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA: boolean;
+            issuerRef: outputs.cert_manager.v1.CertificateRequestSpecIssuerRef;
+            /**
+             * The PEM-encoded X.509 certificate signing request to be submitted to the
+             * issuer for signing.
+             *
+             * If the CSR has a BasicConstraints extension, its isCA attribute must
+             * match the `isCA` value of this CertificateRequest.
+             * If the CSR has a KeyUsage extension, its key usages must match the
+             * key usages in the `usages` field of this CertificateRequest.
+             * If the CSR has a ExtKeyUsage extension, its extended key usages
+             * must match the extended key usages in the `usages` field of this
+             * CertificateRequest.
+             */
+            request: string;
+            /**
+             * UID contains the uid of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            uid: string;
+            /**
+             * Requested key usages and extended key usages.
+             *
+             * NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+             * ExtKeyUsage extension, these extensions must have the same values
+             * as specified here without any additional values.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages: string[];
+            /**
+             * Username contains the name of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            username: string;
+        }
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        interface CertificateRequestSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        interface CertificateRequestSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+        /**
+         * Specification of the desired state of the CertificateRequest resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateRequestSpecPatch {
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             */
+            duration: string;
+            /**
+             * Extra contains extra attributes of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            extra: {
+                [key: string]: string[];
+            };
+            /**
+             * Groups contains group membership of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            groups: string[];
+            /**
+             * Requested basic constraints isCA value. Note that the issuer may choose
+             * to ignore the requested isCA value, just like any other requested attribute.
+             *
+             * NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+             * it must have the same isCA value as specified here.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA: boolean;
+            issuerRef: outputs.cert_manager.v1.CertificateRequestSpecIssuerRefPatch;
+            /**
+             * The PEM-encoded X.509 certificate signing request to be submitted to the
+             * issuer for signing.
+             *
+             * If the CSR has a BasicConstraints extension, its isCA attribute must
+             * match the `isCA` value of this CertificateRequest.
+             * If the CSR has a KeyUsage extension, its key usages must match the
+             * key usages in the `usages` field of this CertificateRequest.
+             * If the CSR has a ExtKeyUsage extension, its extended key usages
+             * must match the extended key usages in the `usages` field of this
+             * CertificateRequest.
+             */
+            request: string;
+            /**
+             * UID contains the uid of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            uid: string;
+            /**
+             * Requested key usages and extended key usages.
+             *
+             * NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+             * ExtKeyUsage extension, these extensions must have the same values
+             * as specified here without any additional values.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages: string[];
+            /**
+             * Username contains the name of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            username: string;
+        }
+        /**
+         * Status of the CertificateRequest.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateRequestStatus {
+            /**
+             * The PEM encoded X.509 certificate of the signer, also known as the CA
+             * (Certificate Authority).
+             * This is set on a best-effort basis by different issuers.
+             * If not set, the CA is assumed to be unknown/not available.
+             */
+            ca: string;
+            /**
+             * The PEM encoded X.509 certificate resulting from the certificate
+             * signing request.
+             * If not set, the CertificateRequest has either not been completed or has
+             * failed. More information on failure can be found by checking the
+             * `conditions` field.
+             */
+            certificate: string;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
+             */
+            conditions: outputs.cert_manager.v1.CertificateRequestStatusConditions[];
+            /**
+             * FailureTime stores the time that this CertificateRequest failed. This is
+             * used to influence garbage collection and back-off.
+             */
+            failureTime: string;
+        }
+        /**
+         * CertificateRequestCondition contains condition information for a CertificateRequest.
+         */
+        interface CertificateRequestStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`, `InvalidRequest`,
+             * `Approved`, `Denied`).
+             */
+            type: string;
+        }
+        /**
+         * CertificateRequestCondition contains condition information for a CertificateRequest.
+         */
+        interface CertificateRequestStatusConditionsPatch {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`, `InvalidRequest`,
+             * `Approved`, `Denied`).
+             */
+            type: string;
+        }
+        /**
+         * Status of the CertificateRequest.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateRequestStatusPatch {
+            /**
+             * The PEM encoded X.509 certificate of the signer, also known as the CA
+             * (Certificate Authority).
+             * This is set on a best-effort basis by different issuers.
+             * If not set, the CA is assumed to be unknown/not available.
+             */
+            ca: string;
+            /**
+             * The PEM encoded X.509 certificate resulting from the certificate
+             * signing request.
+             * If not set, the CertificateRequest has either not been completed or has
+             * failed. More information on failure can be found by checking the
+             * `conditions` field.
+             */
+            certificate: string;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
+             */
+            conditions: outputs.cert_manager.v1.CertificateRequestStatusConditionsPatch[];
+            /**
+             * FailureTime stores the time that this CertificateRequest failed. This is
+             * used to influence garbage collection and back-off.
+             */
+            failureTime: string;
+        }
+        /**
+         * Specification of the desired state of the Certificate resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateSpec {
+            /**
+             * Defines extra output formats of the private key and signed certificate chain
+             * to be written to this Certificate's target Secret.
+             */
+            additionalOutputFormats: outputs.cert_manager.v1.CertificateSpecAdditionalOutputFormats[];
+            /**
+             * Requested common name X509 certificate subject attribute.
+             * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+             * NOTE: TLS clients will ignore this value when any subject alternative name is
+             * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+             *
+             * Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+             * Cannot be set if the `literalSubject` field is set.
+             */
+            commonName: string;
+            /**
+             * Requested DNS subject alternative names.
+             */
+            dnsNames: string[];
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             *
+             * If unset, this defaults to 90 days.
+             * Minimum accepted duration is 1 hour.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             */
+            duration: string;
+            /**
+             * Requested email subject alternative names.
+             */
+            emailAddresses: string[];
+            /**
+             * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+             *
+             * This option defaults to true, and should only be disabled if the target
+             * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+             */
+            encodeUsagesInRequest: boolean;
+            /**
+             * Requested IP address subject alternative names.
+             */
+            ipAddresses: string[];
+            /**
+             * Requested basic constraints isCA value.
+             * The isCA value is used to set the `isCA` field on the created CertificateRequest
+             * resources. Note that the issuer may choose to ignore the requested isCA value, just
+             * like any other requested attribute.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA: boolean;
+            issuerRef: outputs.cert_manager.v1.CertificateSpecIssuerRef;
+            keystores: outputs.cert_manager.v1.CertificateSpecKeystores;
+            /**
+             * Requested X.509 certificate subject, represented using the LDAP "String
+             * Representation of a Distinguished Name" [1].
+             * Important: the LDAP string format also specifies the order of the attributes
+             * in the subject, this is important when issuing certs for LDAP authentication.
+             * Example: `CN=foo,DC=corp,DC=example,DC=com`
+             * More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+             * More info: https://github.com/cert-manager/cert-manager/issues/3203
+             * More info: https://github.com/cert-manager/cert-manager/issues/4424
+             *
+             * Cannot be set if the `subject` or `commonName` field is set.
+             */
+            literalSubject: string;
+            nameConstraints: outputs.cert_manager.v1.CertificateSpecNameConstraints;
+            /**
+             * `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+             * Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+             * Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+             * You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+             */
+            otherNames: outputs.cert_manager.v1.CertificateSpecOtherNames[];
+            privateKey: outputs.cert_manager.v1.CertificateSpecPrivateKey;
+            /**
+             * How long before the currently issued certificate's expiry cert-manager should
+             * renew the certificate. For example, if a certificate is valid for 60 minutes,
+             * and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+             * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+             * the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * If unset, this defaults to 1/3 of the issued certificate's lifetime.
+             * Minimum accepted value is 5 minutes.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             * Cannot be set if the `renewBeforePercentage` field is set.
+             */
+            renewBefore: string;
+            /**
+             * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+             * rather than an absolute duration. For example, if a certificate is valid for 60
+             * minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+             * renew the certificate 45 minutes after it was issued (i.e. when there are 15
+             * minutes (25%) remaining until the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * Value must be an integer in the range (0,100). The minimum effective
+             * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+             * minutes.
+             * Cannot be set if the `renewBefore` field is set.
+             */
+            renewBeforePercentage: number;
+            /**
+             * The maximum number of CertificateRequest revisions that are maintained in
+             * the Certificate's history. Each revision represents a single `CertificateRequest`
+             * created by this Certificate, either when it was created, renewed, or Spec
+             * was changed. Revisions will be removed by oldest first if the number of
+             * revisions exceeds this number.
+             *
+             * If set, revisionHistoryLimit must be a value of `1` or greater.
+             * Default value is `1`.
+             */
+            revisionHistoryLimit: number;
+            /**
+             * Name of the Secret resource that will be automatically created and
+             * managed by this Certificate resource. It will be populated with a
+             * private key and certificate, signed by the denoted issuer. The Secret
+             * resource lives in the same namespace as the Certificate resource.
+             */
+            secretName: string;
+            secretTemplate: outputs.cert_manager.v1.CertificateSpecSecretTemplate;
+            /**
+             * Signature algorithm to use.
+             * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+             * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+             * Allowed values for Ed25519 keys: PureEd25519.
+             */
+            signatureAlgorithm: string;
+            subject: outputs.cert_manager.v1.CertificateSpecSubject;
+            /**
+             * Requested URI subject alternative names.
+             */
+            uris: string[];
+            /**
+             * Requested key usages and extended key usages.
+             * These usages are used to set the `usages` field on the created CertificateRequest
+             * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+             * will additionally be encoded in the `request` field which contains the CSR blob.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages: string[];
+        }
+        /**
+         * CertificateAdditionalOutputFormat defines an additional output format of a
+         * Certificate resource. These contain supplementary data formats of the signed
+         * certificate chain and paired private key.
+         */
+        interface CertificateSpecAdditionalOutputFormats {
+            /**
+             * Type is the name of the format type that should be written to the
+             * Certificate's target Secret.
+             */
+            type: string;
+        }
+        /**
+         * CertificateAdditionalOutputFormat defines an additional output format of a
+         * Certificate resource. These contain supplementary data formats of the signed
+         * certificate chain and paired private key.
+         */
+        interface CertificateSpecAdditionalOutputFormatsPatch {
+            /**
+             * Type is the name of the format type that should be written to the
+             * Certificate's target Secret.
+             */
+            type: string;
+        }
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        interface CertificateSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        interface CertificateSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+        /**
+         * Additional keystore output formats to be stored in the Certificate's Secret.
+         */
+        interface CertificateSpecKeystores {
+            jks: outputs.cert_manager.v1.CertificateSpecKeystoresJks;
+            pkcs12: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12;
+        }
+        /**
+         * JKS configures options for storing a JKS keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        interface CertificateSpecKeystoresJks {
+            /**
+             * Alias specifies the alias of the key in the keystore, required by the JKS format.
+             * If not provided, the default alias `certificate` will be used.
+             */
+            alias: string;
+            /**
+             * Create enables JKS keystore creation for the Certificate.
+             * If true, a file named `keystore.jks` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.jks`
+             * will also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef`
+             * containing the issuing Certificate Authority
+             */
+            create: boolean;
+            /**
+             * Password provides a literal password used to encrypt the JKS keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password: string;
+            passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRef;
+        }
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the JKS keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        interface CertificateSpecKeystoresJksPasswordSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the JKS keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        interface CertificateSpecKeystoresJksPasswordSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * JKS configures options for storing a JKS keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        interface CertificateSpecKeystoresJksPatch {
+            /**
+             * Alias specifies the alias of the key in the keystore, required by the JKS format.
+             * If not provided, the default alias `certificate` will be used.
+             */
+            alias: string;
+            /**
+             * Create enables JKS keystore creation for the Certificate.
+             * If true, a file named `keystore.jks` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.jks`
+             * will also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef`
+             * containing the issuing Certificate Authority
+             */
+            create: boolean;
+            /**
+             * Password provides a literal password used to encrypt the JKS keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password: string;
+            passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRefPatch;
+        }
+        /**
+         * Additional keystore output formats to be stored in the Certificate's Secret.
+         */
+        interface CertificateSpecKeystoresPatch {
+            jks: outputs.cert_manager.v1.CertificateSpecKeystoresJksPatch;
+            pkcs12: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12Patch;
+        }
+        /**
+         * PKCS12 configures options for storing a PKCS12 keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        interface CertificateSpecKeystoresPkcs12 {
+            /**
+             * Create enables PKCS12 keystore creation for the Certificate.
+             * If true, a file named `keystore.p12` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or in `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.p12` will
+             * also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef` containing the issuing Certificate
+             * Authority
+             */
+            create: boolean;
+            /**
+             * Password provides a literal password used to encrypt the PKCS#12 keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password: string;
+            passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRef;
+            /**
+             * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+             * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+             *
+             * If provided, allowed values are:
+             * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+             * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+             * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+             * (e.g., because of company policy). Please note that the security of the algorithm is not that important
+             * in reality, because the unencrypted certificate and private key are also stored in the Secret.
+             */
+            profile: string;
+        }
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the PKCS#12 keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        interface CertificateSpecKeystoresPkcs12PasswordSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the PKCS#12 keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        interface CertificateSpecKeystoresPkcs12PasswordSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PKCS12 configures options for storing a PKCS12 keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        interface CertificateSpecKeystoresPkcs12Patch {
+            /**
+             * Create enables PKCS12 keystore creation for the Certificate.
+             * If true, a file named `keystore.p12` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or in `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.p12` will
+             * also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef` containing the issuing Certificate
+             * Authority
+             */
+            create: boolean;
+            /**
+             * Password provides a literal password used to encrypt the PKCS#12 keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password: string;
+            passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRefPatch;
+            /**
+             * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+             * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+             *
+             * If provided, allowed values are:
+             * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+             * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+             * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+             * (e.g., because of company policy). Please note that the security of the algorithm is not that important
+             * in reality, because the unencrypted certificate and private key are also stored in the Secret.
+             */
+            profile: string;
+        }
+        /**
+         * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+         * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+         *
+         * This is an Alpha Feature and is only enabled with the
+         * `--feature-gates=NameConstraints=true` option set on both
+         * the controller and webhook components.
+         */
+        interface CertificateSpecNameConstraints {
+            /**
+             * if true then the name constraints are marked critical.
+             */
+            critical: boolean;
+            excluded: outputs.cert_manager.v1.CertificateSpecNameConstraintsExcluded;
+            permitted: outputs.cert_manager.v1.CertificateSpecNameConstraintsPermitted;
+        }
+        /**
+         * Excluded contains the constraints which must be disallowed. Any name matching a
+         * restriction in the excluded field is invalid regardless
+         * of information appearing in the permitted
+         */
+        interface CertificateSpecNameConstraintsExcluded {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains: string[];
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses: string[];
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges: string[];
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains: string[];
+        }
+        /**
+         * Excluded contains the constraints which must be disallowed. Any name matching a
+         * restriction in the excluded field is invalid regardless
+         * of information appearing in the permitted
+         */
+        interface CertificateSpecNameConstraintsExcludedPatch {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains: string[];
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses: string[];
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges: string[];
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains: string[];
+        }
+        /**
+         * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+         * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+         *
+         * This is an Alpha Feature and is only enabled with the
+         * `--feature-gates=NameConstraints=true` option set on both
+         * the controller and webhook components.
+         */
+        interface CertificateSpecNameConstraintsPatch {
+            /**
+             * if true then the name constraints are marked critical.
+             */
+            critical: boolean;
+            excluded: outputs.cert_manager.v1.CertificateSpecNameConstraintsExcludedPatch;
+            permitted: outputs.cert_manager.v1.CertificateSpecNameConstraintsPermittedPatch;
+        }
+        /**
+         * Permitted contains the constraints in which the names must be located.
+         */
+        interface CertificateSpecNameConstraintsPermitted {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains: string[];
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses: string[];
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges: string[];
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains: string[];
+        }
+        /**
+         * Permitted contains the constraints in which the names must be located.
+         */
+        interface CertificateSpecNameConstraintsPermittedPatch {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains: string[];
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses: string[];
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges: string[];
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains: string[];
+        }
+        interface CertificateSpecOtherNames {
+            /**
+             * OID is the object identifier for the otherName SAN.
+             * The object identifier must be expressed as a dotted string, for
+             * example, "1.2.840.113556.1.4.221".
+             */
+            oid: string;
+            /**
+             * utf8Value is the string value of the otherName SAN.
+             * The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+             */
+            utf8Value: string;
+        }
+        interface CertificateSpecOtherNamesPatch {
+            /**
+             * OID is the object identifier for the otherName SAN.
+             * The object identifier must be expressed as a dotted string, for
+             * example, "1.2.840.113556.1.4.221".
+             */
+            oid: string;
+            /**
+             * utf8Value is the string value of the otherName SAN.
+             * The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+             */
+            utf8Value: string;
+        }
+        /**
+         * Specification of the desired state of the Certificate resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateSpecPatch {
+            /**
+             * Defines extra output formats of the private key and signed certificate chain
+             * to be written to this Certificate's target Secret.
+             */
+            additionalOutputFormats: outputs.cert_manager.v1.CertificateSpecAdditionalOutputFormatsPatch[];
+            /**
+             * Requested common name X509 certificate subject attribute.
+             * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+             * NOTE: TLS clients will ignore this value when any subject alternative name is
+             * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+             *
+             * Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+             * Cannot be set if the `literalSubject` field is set.
+             */
+            commonName: string;
+            /**
+             * Requested DNS subject alternative names.
+             */
+            dnsNames: string[];
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             *
+             * If unset, this defaults to 90 days.
+             * Minimum accepted duration is 1 hour.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             */
+            duration: string;
+            /**
+             * Requested email subject alternative names.
+             */
+            emailAddresses: string[];
+            /**
+             * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+             *
+             * This option defaults to true, and should only be disabled if the target
+             * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+             */
+            encodeUsagesInRequest: boolean;
+            /**
+             * Requested IP address subject alternative names.
+             */
+            ipAddresses: string[];
+            /**
+             * Requested basic constraints isCA value.
+             * The isCA value is used to set the `isCA` field on the created CertificateRequest
+             * resources. Note that the issuer may choose to ignore the requested isCA value, just
+             * like any other requested attribute.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA: boolean;
+            issuerRef: outputs.cert_manager.v1.CertificateSpecIssuerRefPatch;
+            keystores: outputs.cert_manager.v1.CertificateSpecKeystoresPatch;
+            /**
+             * Requested X.509 certificate subject, represented using the LDAP "String
+             * Representation of a Distinguished Name" [1].
+             * Important: the LDAP string format also specifies the order of the attributes
+             * in the subject, this is important when issuing certs for LDAP authentication.
+             * Example: `CN=foo,DC=corp,DC=example,DC=com`
+             * More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+             * More info: https://github.com/cert-manager/cert-manager/issues/3203
+             * More info: https://github.com/cert-manager/cert-manager/issues/4424
+             *
+             * Cannot be set if the `subject` or `commonName` field is set.
+             */
+            literalSubject: string;
+            nameConstraints: outputs.cert_manager.v1.CertificateSpecNameConstraintsPatch;
+            /**
+             * `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+             * Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+             * Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+             * You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+             */
+            otherNames: outputs.cert_manager.v1.CertificateSpecOtherNamesPatch[];
+            privateKey: outputs.cert_manager.v1.CertificateSpecPrivateKeyPatch;
+            /**
+             * How long before the currently issued certificate's expiry cert-manager should
+             * renew the certificate. For example, if a certificate is valid for 60 minutes,
+             * and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+             * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+             * the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * If unset, this defaults to 1/3 of the issued certificate's lifetime.
+             * Minimum accepted value is 5 minutes.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             * Cannot be set if the `renewBeforePercentage` field is set.
+             */
+            renewBefore: string;
+            /**
+             * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+             * rather than an absolute duration. For example, if a certificate is valid for 60
+             * minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+             * renew the certificate 45 minutes after it was issued (i.e. when there are 15
+             * minutes (25%) remaining until the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * Value must be an integer in the range (0,100). The minimum effective
+             * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+             * minutes.
+             * Cannot be set if the `renewBefore` field is set.
+             */
+            renewBeforePercentage: number;
+            /**
+             * The maximum number of CertificateRequest revisions that are maintained in
+             * the Certificate's history. Each revision represents a single `CertificateRequest`
+             * created by this Certificate, either when it was created, renewed, or Spec
+             * was changed. Revisions will be removed by oldest first if the number of
+             * revisions exceeds this number.
+             *
+             * If set, revisionHistoryLimit must be a value of `1` or greater.
+             * Default value is `1`.
+             */
+            revisionHistoryLimit: number;
+            /**
+             * Name of the Secret resource that will be automatically created and
+             * managed by this Certificate resource. It will be populated with a
+             * private key and certificate, signed by the denoted issuer. The Secret
+             * resource lives in the same namespace as the Certificate resource.
+             */
+            secretName: string;
+            secretTemplate: outputs.cert_manager.v1.CertificateSpecSecretTemplatePatch;
+            /**
+             * Signature algorithm to use.
+             * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+             * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+             * Allowed values for Ed25519 keys: PureEd25519.
+             */
+            signatureAlgorithm: string;
+            subject: outputs.cert_manager.v1.CertificateSpecSubjectPatch;
+            /**
+             * Requested URI subject alternative names.
+             */
+            uris: string[];
+            /**
+             * Requested key usages and extended key usages.
+             * These usages are used to set the `usages` field on the created CertificateRequest
+             * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+             * will additionally be encoded in the `request` field which contains the CSR blob.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages: string[];
+        }
+        /**
+         * Private key options. These include the key algorithm and size, the used
+         * encoding and the rotation policy.
+         */
+        interface CertificateSpecPrivateKey {
+            /**
+             * Algorithm is the private key algorithm of the corresponding private key
+             * for this certificate.
+             *
+             * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+             * If `algorithm` is specified and `size` is not provided,
+             * key size of 2048 will be used for `RSA` key algorithm and
+             * key size of 256 will be used for `ECDSA` key algorithm.
+             * key size is ignored when using the `Ed25519` key algorithm.
+             */
+            algorithm: string;
+            /**
+             * The private key cryptography standards (PKCS) encoding for this
+             * certificate's private key to be encoded in.
+             *
+             * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+             * and PKCS#8, respectively.
+             * Defaults to `PKCS1` if not specified.
+             */
+            encoding: string;
+            /**
+             * RotationPolicy controls how private keys should be regenerated when a
+             * re-issuance is being processed.
+             *
+             * If set to `Never`, a private key will only be generated if one does not
+             * already exist in the target `spec.secretName`. If one does exist but it
+             * does not have the correct algorithm or size, a warning will be raised
+             * to await user intervention.
+             * If set to `Always`, a private key matching the specified requirements
+             * will be generated whenever a re-issuance occurs.
+             * Default is `Always`.
+             * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+             * The new default can be disabled by setting the
+             * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+             * the controller component.
+             */
+            rotationPolicy: string;
+            /**
+             * Size is the key bit size of the corresponding private key for this certificate.
+             *
+             * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+             * and will default to `2048` if not specified.
+             * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+             * and will default to `256` if not specified.
+             * If `algorithm` is set to `Ed25519`, Size is ignored.
+             * No other values are allowed.
+             */
+            size: number;
+        }
+        /**
+         * Private key options. These include the key algorithm and size, the used
+         * encoding and the rotation policy.
+         */
+        interface CertificateSpecPrivateKeyPatch {
+            /**
+             * Algorithm is the private key algorithm of the corresponding private key
+             * for this certificate.
+             *
+             * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+             * If `algorithm` is specified and `size` is not provided,
+             * key size of 2048 will be used for `RSA` key algorithm and
+             * key size of 256 will be used for `ECDSA` key algorithm.
+             * key size is ignored when using the `Ed25519` key algorithm.
+             */
+            algorithm: string;
+            /**
+             * The private key cryptography standards (PKCS) encoding for this
+             * certificate's private key to be encoded in.
+             *
+             * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+             * and PKCS#8, respectively.
+             * Defaults to `PKCS1` if not specified.
+             */
+            encoding: string;
+            /**
+             * RotationPolicy controls how private keys should be regenerated when a
+             * re-issuance is being processed.
+             *
+             * If set to `Never`, a private key will only be generated if one does not
+             * already exist in the target `spec.secretName`. If one does exist but it
+             * does not have the correct algorithm or size, a warning will be raised
+             * to await user intervention.
+             * If set to `Always`, a private key matching the specified requirements
+             * will be generated whenever a re-issuance occurs.
+             * Default is `Always`.
+             * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+             * The new default can be disabled by setting the
+             * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+             * the controller component.
+             */
+            rotationPolicy: string;
+            /**
+             * Size is the key bit size of the corresponding private key for this certificate.
+             *
+             * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+             * and will default to `2048` if not specified.
+             * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+             * and will default to `256` if not specified.
+             * If `algorithm` is set to `Ed25519`, Size is ignored.
+             * No other values are allowed.
+             */
+            size: number;
+        }
+        /**
+         * Defines annotations and labels to be copied to the Certificate's Secret.
+         * Labels and annotations on the Secret will be changed as they appear on the
+         * SecretTemplate when added or removed. SecretTemplate annotations are added
+         * in conjunction with, and cannot overwrite, the base set of annotations
+         * cert-manager sets on the Certificate's Secret.
+         */
+        interface CertificateSpecSecretTemplate {
+            /**
+             * Annotations is a key value map to be copied to the target Kubernetes Secret.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels is a key value map to be copied to the target Kubernetes Secret.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines annotations and labels to be copied to the Certificate's Secret.
+         * Labels and annotations on the Secret will be changed as they appear on the
+         * SecretTemplate when added or removed. SecretTemplate annotations are added
+         * in conjunction with, and cannot overwrite, the base set of annotations
+         * cert-manager sets on the Certificate's Secret.
+         */
+        interface CertificateSpecSecretTemplatePatch {
+            /**
+             * Annotations is a key value map to be copied to the target Kubernetes Secret.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels is a key value map to be copied to the target Kubernetes Secret.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Requested set of X509 certificate subject attributes.
+         * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+         *
+         * The common name attribute is specified separately in the `commonName` field.
+         * Cannot be set if the `literalSubject` field is set.
+         */
+        interface CertificateSpecSubject {
+            /**
+             * Countries to be used on the Certificate.
+             */
+            countries: string[];
+            /**
+             * Cities to be used on the Certificate.
+             */
+            localities: string[];
+            /**
+             * Organizational Units to be used on the Certificate.
+             */
+            organizationalUnits: string[];
+            /**
+             * Organizations to be used on the Certificate.
+             */
+            organizations: string[];
+            /**
+             * Postal codes to be used on the Certificate.
+             */
+            postalCodes: string[];
+            /**
+             * State/Provinces to be used on the Certificate.
+             */
+            provinces: string[];
+            /**
+             * Serial number to be used on the Certificate.
+             */
+            serialNumber: string;
+            /**
+             * Street addresses to be used on the Certificate.
+             */
+            streetAddresses: string[];
+        }
+        /**
+         * Requested set of X509 certificate subject attributes.
+         * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+         *
+         * The common name attribute is specified separately in the `commonName` field.
+         * Cannot be set if the `literalSubject` field is set.
+         */
+        interface CertificateSpecSubjectPatch {
+            /**
+             * Countries to be used on the Certificate.
+             */
+            countries: string[];
+            /**
+             * Cities to be used on the Certificate.
+             */
+            localities: string[];
+            /**
+             * Organizational Units to be used on the Certificate.
+             */
+            organizationalUnits: string[];
+            /**
+             * Organizations to be used on the Certificate.
+             */
+            organizations: string[];
+            /**
+             * Postal codes to be used on the Certificate.
+             */
+            postalCodes: string[];
+            /**
+             * State/Provinces to be used on the Certificate.
+             */
+            provinces: string[];
+            /**
+             * Serial number to be used on the Certificate.
+             */
+            serialNumber: string;
+            /**
+             * Street addresses to be used on the Certificate.
+             */
+            streetAddresses: string[];
+        }
+        /**
+         * Status of the Certificate.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateStatus {
+            /**
+             * List of status conditions to indicate the status of certificates.
+             * Known condition types are `Ready` and `Issuing`.
+             */
+            conditions: outputs.cert_manager.v1.CertificateStatusConditions[];
+            /**
+             * The number of continuous failed issuance attempts up till now. This
+             * field gets removed (if set) on a successful issuance and gets set to
+             * 1 if unset and an issuance has failed. If an issuance has failed, the
+             * delay till the next issuance will be calculated using formula
+             * time.Hour * 2 ^ (failedIssuanceAttempts - 1).
+             */
+            failedIssuanceAttempts: number;
+            /**
+             * LastFailureTime is set only if the latest issuance for this
+             * Certificate failed and contains the time of the failure. If an
+             * issuance has failed, the delay till the next issuance will be
+             * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
+             * 1). If the latest issuance has succeeded this field will be unset.
+             */
+            lastFailureTime: string;
+            /**
+             * The name of the Secret resource containing the private key to be used
+             * for the next certificate iteration.
+             * The keymanager controller will automatically set this field if the
+             * `Issuing` condition is set to `True`.
+             * It will automatically unset this field when the Issuing condition is
+             * not set or False.
+             */
+            nextPrivateKeySecretName: string;
+            /**
+             * The expiration time of the certificate stored in the secret named
+             * by this resource in `spec.secretName`.
+             */
+            notAfter: string;
+            /**
+             * The time after which the certificate stored in the secret named
+             * by this resource in `spec.secretName` is valid.
+             */
+            notBefore: string;
+            /**
+             * RenewalTime is the time at which the certificate will be next
+             * renewed.
+             * If not set, no upcoming renewal is scheduled.
+             */
+            renewalTime: string;
+            /**
+             * The current 'revision' of the certificate as issued.
+             *
+             * When a CertificateRequest resource is created, it will have the
+             * `cert-manager.io/certificate-revision` set to one greater than the
+             * current value of this field.
+             *
+             * Upon issuance, this field will be set to the value of the annotation
+             * on the CertificateRequest resource used to issue the certificate.
+             *
+             * Persisting the value on the CertificateRequest resource allows the
+             * certificates controller to know whether a request is part of an old
+             * issuance or if it is part of the ongoing revision's issuance by
+             * checking if the revision value in the annotation is greater than this
+             * field.
+             */
+            revision: number;
+        }
+        /**
+         * CertificateCondition contains condition information for a Certificate.
+         */
+        interface CertificateStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Certificate.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`, `Issuing`).
+             */
+            type: string;
+        }
+        /**
+         * CertificateCondition contains condition information for a Certificate.
+         */
+        interface CertificateStatusConditionsPatch {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Certificate.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`, `Issuing`).
+             */
+            type: string;
+        }
+        /**
+         * Status of the Certificate.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        interface CertificateStatusPatch {
+            /**
+             * List of status conditions to indicate the status of certificates.
+             * Known condition types are `Ready` and `Issuing`.
+             */
+            conditions: outputs.cert_manager.v1.CertificateStatusConditionsPatch[];
+            /**
+             * The number of continuous failed issuance attempts up till now. This
+             * field gets removed (if set) on a successful issuance and gets set to
+             * 1 if unset and an issuance has failed. If an issuance has failed, the
+             * delay till the next issuance will be calculated using formula
+             * time.Hour * 2 ^ (failedIssuanceAttempts - 1).
+             */
+            failedIssuanceAttempts: number;
+            /**
+             * LastFailureTime is set only if the latest issuance for this
+             * Certificate failed and contains the time of the failure. If an
+             * issuance has failed, the delay till the next issuance will be
+             * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
+             * 1). If the latest issuance has succeeded this field will be unset.
+             */
+            lastFailureTime: string;
+            /**
+             * The name of the Secret resource containing the private key to be used
+             * for the next certificate iteration.
+             * The keymanager controller will automatically set this field if the
+             * `Issuing` condition is set to `True`.
+             * It will automatically unset this field when the Issuing condition is
+             * not set or False.
+             */
+            nextPrivateKeySecretName: string;
+            /**
+             * The expiration time of the certificate stored in the secret named
+             * by this resource in `spec.secretName`.
+             */
+            notAfter: string;
+            /**
+             * The time after which the certificate stored in the secret named
+             * by this resource in `spec.secretName` is valid.
+             */
+            notBefore: string;
+            /**
+             * RenewalTime is the time at which the certificate will be next
+             * renewed.
+             * If not set, no upcoming renewal is scheduled.
+             */
+            renewalTime: string;
+            /**
+             * The current 'revision' of the certificate as issued.
+             *
+             * When a CertificateRequest resource is created, it will have the
+             * `cert-manager.io/certificate-revision` set to one greater than the
+             * current value of this field.
+             *
+             * Upon issuance, this field will be set to the value of the annotation
+             * on the CertificateRequest resource used to issue the certificate.
+             *
+             * Persisting the value on the CertificateRequest resource allows the
+             * certificates controller to know whether a request is part of an old
+             * issuance or if it is part of the ongoing revision's issuance by
+             * checking if the revision value in the annotation is greater than this
+             * field.
+             */
+            revision: number;
+        }
+        /**
+         * A ClusterIssuer represents a certificate issuing authority which can be
+         * referenced as part of `issuerRef` fields.
+         * It is similar to an Issuer, however it is cluster-scoped and therefore can
+         * be referenced by resources that exist in *any* namespace, not just the same
+         * namespace as the referent.
+         */
+        interface ClusterIssuer {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "ClusterIssuer";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpec;
+            status: outputs.cert_manager.v1.ClusterIssuerStatus;
+        }
+        /**
+         * Desired state of the ClusterIssuer resource.
+         */
+        interface ClusterIssuerSpec {
+            acme: outputs.cert_manager.v1.ClusterIssuerSpecAcme;
+            ca: outputs.cert_manager.v1.ClusterIssuerSpecCa;
+            selfSigned: outputs.cert_manager.v1.ClusterIssuerSpecSelfSigned;
+            vault: outputs.cert_manager.v1.ClusterIssuerSpecVault;
+            venafi: outputs.cert_manager.v1.ClusterIssuerSpecVenafi;
+        }
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        interface ClusterIssuerSpecAcme {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration: boolean;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email: string;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature: boolean;
+            externalAccountBinding: outputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBinding;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain: string;
+            privateKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRef;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server: string;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify: boolean;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolvers[];
+        }
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        interface ClusterIssuerSpecAcmeExternalAccountBinding {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm: string;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID: string;
+            keySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRef;
+        }
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        interface ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        interface ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        interface ClusterIssuerSpecAcmeExternalAccountBindingPatch {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm: string;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID: string;
+            keySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRefPatch;
+        }
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        interface ClusterIssuerSpecAcmePatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration: boolean;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email: string;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature: boolean;
+            externalAccountBinding: outputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingPatch;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain: string;
+            privateKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRefPatch;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server: string;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify: boolean;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversPatch[];
+        }
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        interface ClusterIssuerSpecAcmePrivateKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        interface ClusterIssuerSpecAcmePrivateKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        interface ClusterIssuerSpecAcmeSolvers {
+            dns01: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01;
+            http01: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01;
+            selector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversSelector;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01 {
+            acmeDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNS;
+            akamai: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Akamai;
+            azureDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNS;
+            cloudDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNS;
+            cloudflare: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Cloudflare;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Digitalocean;
+            rfc2136: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136;
+            route53: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53;
+            webhook: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Webhook;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AcmeDNS {
+            accountSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef;
+            host: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSPatch {
+            accountSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch;
+            host: string;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Akamai {
+            accessTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef;
+            clientSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef;
+            clientTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef;
+            serviceConsumerDomain: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AkamaiPatch {
+            accessTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch;
+            clientSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch;
+            clientTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch;
+            serviceConsumerDomain: string;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Cloudflare {
+            apiKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef;
+            apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01CloudflarePatch {
+            apiKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch;
+            apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Digitalocean {
+            tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanPatch {
+            tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Patch {
+            acmeDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSPatch;
+            akamai: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiPatch;
+            azureDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSPatch;
+            cloudDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSPatch;
+            cloudflare: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflarePatch;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanPatch;
+            rfc2136: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136Patch;
+            route53: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Patch;
+            webhook: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01WebhookPatch;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef;
+            auth: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Auth;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53Auth {
+            kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetes;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetes {
+            serviceAccountRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch {
+            serviceAccountRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch {
+            kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch;
+            auth: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {
+                [key: string]: any;
+            };
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface ClusterIssuerSpecAcmeSolversDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {
+                [key: string]: any;
+            };
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01 {
+            gatewayHTTPRoute: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute;
+            ingress: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01Ingress;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {
+                [key: string]: string;
+            };
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs[];
+            podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {
+                [key: string]: string;
+            };
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch[];
+            podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources;
+            securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch;
+            securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[];
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[];
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplate;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplate {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplate {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpec;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplatePatch {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpec {
+            affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources;
+            securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch {
+            affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch;
+            securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch[];
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls[];
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface ClusterIssuerSpecAcmeSolversHttp01Patch {
+            gatewayHTTPRoute: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch;
+            ingress: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPatch;
+        }
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        interface ClusterIssuerSpecAcmeSolversPatch {
+            dns01: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Patch;
+            http01: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01Patch;
+            selector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversSelectorPatch;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface ClusterIssuerSpecAcmeSolversSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface ClusterIssuerSpecAcmeSolversSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        interface ClusterIssuerSpecCa {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints: string[];
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs: string[];
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers: string[];
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName: string;
+        }
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        interface ClusterIssuerSpecCaPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints: string[];
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs: string[];
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers: string[];
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName: string;
+        }
+        /**
+         * Desired state of the ClusterIssuer resource.
+         */
+        interface ClusterIssuerSpecPatch {
+            acme: outputs.cert_manager.v1.ClusterIssuerSpecAcmePatch;
+            ca: outputs.cert_manager.v1.ClusterIssuerSpecCaPatch;
+            selfSigned: outputs.cert_manager.v1.ClusterIssuerSpecSelfSignedPatch;
+            vault: outputs.cert_manager.v1.ClusterIssuerSpecVaultPatch;
+            venafi: outputs.cert_manager.v1.ClusterIssuerSpecVenafiPatch;
+        }
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        interface ClusterIssuerSpecSelfSigned {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints: string[];
+        }
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        interface ClusterIssuerSpecSelfSignedPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints: string[];
+        }
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        interface ClusterIssuerSpecVault {
+            auth: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuth;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultCaBundleSecretRef;
+            clientCertSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultClientCertSecretRef;
+            clientKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultClientKeySecretRef;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace: string;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path: string;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server: string;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        interface ClusterIssuerSpecVaultAuth {
+            appRole: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRole;
+            clientCertificate: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificate;
+            kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetes;
+            tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRef;
+        }
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        interface ClusterIssuerSpecVaultAuthAppRole {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path: string;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId: string;
+            secretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRoleSecretRef;
+        }
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        interface ClusterIssuerSpecVaultAuthAppRolePatch {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path: string;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId: string;
+            secretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRoleSecretRefPatch;
+        }
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        interface ClusterIssuerSpecVaultAuthAppRoleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        interface ClusterIssuerSpecVaultAuthAppRoleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        interface ClusterIssuerSpecVaultAuthClientCertificate {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath: string;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name: string;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName: string;
+        }
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        interface ClusterIssuerSpecVaultAuthClientCertificatePatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath: string;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name: string;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName: string;
+        }
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetes {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath: string;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role: string;
+            secretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesSecretRef;
+            serviceAccountRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesServiceAccountRef;
+        }
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesPatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath: string;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role: string;
+            secretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesSecretRefPatch;
+            serviceAccountRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesServiceAccountRefPatch;
+        }
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        interface ClusterIssuerSpecVaultAuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        interface ClusterIssuerSpecVaultAuthPatch {
+            appRole: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRolePatch;
+            clientCertificate: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificatePatch;
+            kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesPatch;
+            tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRefPatch;
+        }
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        interface ClusterIssuerSpecVaultAuthTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        interface ClusterIssuerSpecVaultAuthTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        interface ClusterIssuerSpecVaultCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        interface ClusterIssuerSpecVaultCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        interface ClusterIssuerSpecVaultClientCertSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        interface ClusterIssuerSpecVaultClientCertSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        interface ClusterIssuerSpecVaultClientKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        interface ClusterIssuerSpecVaultClientKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        interface ClusterIssuerSpecVaultPatch {
+            auth: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthPatch;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultCaBundleSecretRefPatch;
+            clientCertSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultClientCertSecretRefPatch;
+            clientKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultClientKeySecretRefPatch;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace: string;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path: string;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server: string;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName: string;
+        }
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        interface ClusterIssuerSpecVenafi {
+            cloud: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloud;
+            tpp: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTpp;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone: string;
+        }
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface ClusterIssuerSpecVenafiCloud {
+            apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRef;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url: string;
+        }
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        interface ClusterIssuerSpecVenafiCloudApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        interface ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface ClusterIssuerSpecVenafiCloudPatch {
+            apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url: string;
+        }
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        interface ClusterIssuerSpecVenafiPatch {
+            cloud: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudPatch;
+            tpp: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppPatch;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone: string;
+        }
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface ClusterIssuerSpecVenafiTpp {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRef;
+            credentialsRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRef;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url: string;
+        }
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        interface ClusterIssuerSpecVenafiTppCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        interface ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        interface ClusterIssuerSpecVenafiTppCredentialsRef {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        interface ClusterIssuerSpecVenafiTppCredentialsRefPatch {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface ClusterIssuerSpecVenafiTppPatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch;
+            credentialsRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRefPatch;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url: string;
+        }
+        /**
+         * Status of the ClusterIssuer. This is set and managed automatically.
+         */
+        interface ClusterIssuerStatus {
+            acme: outputs.cert_manager.v1.ClusterIssuerStatusAcme;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions: outputs.cert_manager.v1.ClusterIssuerStatusConditions[];
+        }
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        interface ClusterIssuerStatusAcme {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash: string;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail: string;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri: string;
+        }
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        interface ClusterIssuerStatusAcmePatch {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash: string;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail: string;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri: string;
+        }
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        interface ClusterIssuerStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type: string;
+        }
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        interface ClusterIssuerStatusConditionsPatch {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type: string;
+        }
+        /**
+         * Status of the ClusterIssuer. This is set and managed automatically.
+         */
+        interface ClusterIssuerStatusPatch {
+            acme: outputs.cert_manager.v1.ClusterIssuerStatusAcmePatch;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions: outputs.cert_manager.v1.ClusterIssuerStatusConditionsPatch[];
+        }
+        /**
+         * An Issuer represents a certificate issuing authority which can be
+         * referenced as part of `issuerRef` fields.
+         * It is scoped to a single namespace and can therefore only be referenced by
+         * resources within the same namespace.
+         */
+        interface Issuer {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Issuer";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.cert_manager.v1.IssuerSpec;
+            status: outputs.cert_manager.v1.IssuerStatus;
+        }
+        /**
+         * Desired state of the Issuer resource.
+         */
+        interface IssuerSpec {
+            acme: outputs.cert_manager.v1.IssuerSpecAcme;
+            ca: outputs.cert_manager.v1.IssuerSpecCa;
+            selfSigned: outputs.cert_manager.v1.IssuerSpecSelfSigned;
+            vault: outputs.cert_manager.v1.IssuerSpecVault;
+            venafi: outputs.cert_manager.v1.IssuerSpecVenafi;
+        }
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        interface IssuerSpecAcme {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration: boolean;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email: string;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature: boolean;
+            externalAccountBinding: outputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBinding;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain: string;
+            privateKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRef;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server: string;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify: boolean;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers: outputs.cert_manager.v1.IssuerSpecAcmeSolvers[];
+        }
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        interface IssuerSpecAcmeExternalAccountBinding {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm: string;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID: string;
+            keySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingKeySecretRef;
+        }
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        interface IssuerSpecAcmeExternalAccountBindingKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        interface IssuerSpecAcmeExternalAccountBindingKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        interface IssuerSpecAcmeExternalAccountBindingPatch {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm: string;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID: string;
+            keySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingKeySecretRefPatch;
+        }
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        interface IssuerSpecAcmePatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration: boolean;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email: string;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature: boolean;
+            externalAccountBinding: outputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingPatch;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain: string;
+            privateKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRefPatch;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server: string;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify: boolean;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers: outputs.cert_manager.v1.IssuerSpecAcmeSolversPatch[];
+        }
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        interface IssuerSpecAcmePrivateKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        interface IssuerSpecAcmePrivateKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        interface IssuerSpecAcmeSolvers {
+            dns01: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01;
+            http01: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01;
+            selector: outputs.cert_manager.v1.IssuerSpecAcmeSolversSelector;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface IssuerSpecAcmeSolversDns01 {
+            acmeDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNS;
+            akamai: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Akamai;
+            azureDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNS;
+            cloudDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNS;
+            cloudflare: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Cloudflare;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Digitalocean;
+            rfc2136: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136;
+            route53: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53;
+            webhook: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Webhook;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AcmeDNS {
+            accountSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef;
+            host: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AcmeDNSPatch {
+            accountSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch;
+            host: string;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Akamai {
+            accessTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef;
+            clientSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef;
+            clientTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef;
+            serviceConsumerDomain: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AkamaiPatch {
+            accessTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch;
+            clientSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch;
+            clientTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch;
+            serviceConsumerDomain: string;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef;
+        }
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Cloudflare {
+            apiKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef;
+            apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01CloudflarePatch {
+            apiKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch;
+            apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Digitalocean {
+            tokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef;
+        }
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01DigitaloceanPatch {
+            tokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        interface IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        interface IssuerSpecAcmeSolversDns01Patch {
+            acmeDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSPatch;
+            akamai: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiPatch;
+            azureDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSPatch;
+            cloudDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSPatch;
+            cloudflare: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflarePatch;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanPatch;
+            rfc2136: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136Patch;
+            route53: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Patch;
+            webhook: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01WebhookPatch;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef;
+        }
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        interface IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef;
+            auth: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Auth;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53Auth {
+            kubernetes: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetes;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthKubernetes {
+            serviceAccountRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef;
+        }
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch {
+            serviceAccountRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53AuthPatch {
+            kubernetes: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch;
+        }
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch;
+            auth: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthPatch;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        interface IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {
+                [key: string]: any;
+            };
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        interface IssuerSpecAcmeSolversDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {
+                [key: string]: any;
+            };
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface IssuerSpecAcmeSolversHttp01 {
+            gatewayHTTPRoute: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoute;
+            ingress: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01Ingress;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {
+                [key: string]: string;
+            };
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs[];
+            podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {
+                [key: string]: string;
+            };
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch[];
+            podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata;
+            spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch;
+            spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources;
+            securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch;
+            securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[];
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[];
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface IssuerSpecAcmeSolversHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplate;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressIngressTemplate {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata;
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch;
+        }
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplate {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata;
+            spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpec;
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplatePatch {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch;
+            spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpec {
+            affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources;
+            securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch {
+            affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {
+                [key: string]: string;
+            };
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch;
+            securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch[];
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {
+                [key: string]: number | string;
+            };
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {
+                [key: string]: number | string;
+            };
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls[];
+        }
+        /**
+         * If specified, the pod's security context
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        interface IssuerSpecAcmeSolversHttp01Patch {
+            gatewayHTTPRoute: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch;
+            ingress: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPatch;
+        }
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        interface IssuerSpecAcmeSolversPatch {
+            dns01: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Patch;
+            http01: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01Patch;
+            selector: outputs.cert_manager.v1.IssuerSpecAcmeSolversSelectorPatch;
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface IssuerSpecAcmeSolversSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        interface IssuerSpecAcmeSolversSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        interface IssuerSpecCa {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints: string[];
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs: string[];
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers: string[];
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName: string;
+        }
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        interface IssuerSpecCaPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints: string[];
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs: string[];
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers: string[];
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName: string;
+        }
+        /**
+         * Desired state of the Issuer resource.
+         */
+        interface IssuerSpecPatch {
+            acme: outputs.cert_manager.v1.IssuerSpecAcmePatch;
+            ca: outputs.cert_manager.v1.IssuerSpecCaPatch;
+            selfSigned: outputs.cert_manager.v1.IssuerSpecSelfSignedPatch;
+            vault: outputs.cert_manager.v1.IssuerSpecVaultPatch;
+            venafi: outputs.cert_manager.v1.IssuerSpecVenafiPatch;
+        }
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        interface IssuerSpecSelfSigned {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints: string[];
+        }
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        interface IssuerSpecSelfSignedPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints: string[];
+        }
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        interface IssuerSpecVault {
+            auth: outputs.cert_manager.v1.IssuerSpecVaultAuth;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVaultCaBundleSecretRef;
+            clientCertSecretRef: outputs.cert_manager.v1.IssuerSpecVaultClientCertSecretRef;
+            clientKeySecretRef: outputs.cert_manager.v1.IssuerSpecVaultClientKeySecretRef;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace: string;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path: string;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server: string;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        interface IssuerSpecVaultAuth {
+            appRole: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRole;
+            clientCertificate: outputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificate;
+            kubernetes: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetes;
+            tokenSecretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRef;
+        }
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        interface IssuerSpecVaultAuthAppRole {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path: string;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId: string;
+            secretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRoleSecretRef;
+        }
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        interface IssuerSpecVaultAuthAppRolePatch {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path: string;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId: string;
+            secretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRoleSecretRefPatch;
+        }
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        interface IssuerSpecVaultAuthAppRoleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        interface IssuerSpecVaultAuthAppRoleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        interface IssuerSpecVaultAuthClientCertificate {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath: string;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name: string;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName: string;
+        }
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        interface IssuerSpecVaultAuthClientCertificatePatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath: string;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name: string;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName: string;
+        }
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        interface IssuerSpecVaultAuthKubernetes {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath: string;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role: string;
+            secretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesSecretRef;
+            serviceAccountRef: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesServiceAccountRef;
+        }
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        interface IssuerSpecVaultAuthKubernetesPatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath: string;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role: string;
+            secretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesSecretRefPatch;
+            serviceAccountRef: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesServiceAccountRefPatch;
+        }
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        interface IssuerSpecVaultAuthKubernetesSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        interface IssuerSpecVaultAuthKubernetesSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        interface IssuerSpecVaultAuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        interface IssuerSpecVaultAuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        interface IssuerSpecVaultAuthPatch {
+            appRole: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRolePatch;
+            clientCertificate: outputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificatePatch;
+            kubernetes: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesPatch;
+            tokenSecretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRefPatch;
+        }
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        interface IssuerSpecVaultAuthTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        interface IssuerSpecVaultAuthTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        interface IssuerSpecVaultCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        interface IssuerSpecVaultCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        interface IssuerSpecVaultClientCertSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        interface IssuerSpecVaultClientCertSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        interface IssuerSpecVaultClientKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        interface IssuerSpecVaultClientKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        interface IssuerSpecVaultPatch {
+            auth: outputs.cert_manager.v1.IssuerSpecVaultAuthPatch;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVaultCaBundleSecretRefPatch;
+            clientCertSecretRef: outputs.cert_manager.v1.IssuerSpecVaultClientCertSecretRefPatch;
+            clientKeySecretRef: outputs.cert_manager.v1.IssuerSpecVaultClientKeySecretRefPatch;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace: string;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path: string;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server: string;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName: string;
+        }
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        interface IssuerSpecVenafi {
+            cloud: outputs.cert_manager.v1.IssuerSpecVenafiCloud;
+            tpp: outputs.cert_manager.v1.IssuerSpecVenafiTpp;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone: string;
+        }
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface IssuerSpecVenafiCloud {
+            apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRef;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url: string;
+        }
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        interface IssuerSpecVenafiCloudApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        interface IssuerSpecVenafiCloudApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface IssuerSpecVenafiCloudPatch {
+            apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRefPatch;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url: string;
+        }
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        interface IssuerSpecVenafiPatch {
+            cloud: outputs.cert_manager.v1.IssuerSpecVenafiCloudPatch;
+            tpp: outputs.cert_manager.v1.IssuerSpecVenafiTppPatch;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone: string;
+        }
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface IssuerSpecVenafiTpp {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRef;
+            credentialsRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRef;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url: string;
+        }
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        interface IssuerSpecVenafiTppCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        interface IssuerSpecVenafiTppCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        interface IssuerSpecVenafiTppCredentialsRef {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        interface IssuerSpecVenafiTppCredentialsRefPatch {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        interface IssuerSpecVenafiTppPatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRefPatch;
+            credentialsRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRefPatch;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url: string;
+        }
+        /**
+         * Status of the Issuer. This is set and managed automatically.
+         */
+        interface IssuerStatus {
+            acme: outputs.cert_manager.v1.IssuerStatusAcme;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions: outputs.cert_manager.v1.IssuerStatusConditions[];
+        }
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        interface IssuerStatusAcme {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash: string;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail: string;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri: string;
+        }
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        interface IssuerStatusAcmePatch {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash: string;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail: string;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri: string;
+        }
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        interface IssuerStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type: string;
+        }
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        interface IssuerStatusConditionsPatch {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type: string;
+        }
+        /**
+         * Status of the Issuer. This is set and managed automatically.
+         */
+        interface IssuerStatusPatch {
+            acme: outputs.cert_manager.v1.IssuerStatusAcmePatch;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions: outputs.cert_manager.v1.IssuerStatusConditionsPatch[];
+        }
+    }
+}
+export declare namespace gateway {
+    namespace v1 {
+        /**
+         * BackendTLSPolicy provides a way to configure how a Gateway
+         * connects to a Backend via TLS.
+         */
+        interface BackendTLSPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "BackendTLSPolicy";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.BackendTLSPolicySpec;
+            status: outputs.gateway.v1.BackendTLSPolicyStatus;
+        }
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicySpec {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs: outputs.gateway.v1.BackendTLSPolicySpecTargetRefs[];
+            validation: outputs.gateway.v1.BackendTLSPolicySpecValidation;
+        }
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicySpecPatch {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs: outputs.gateway.v1.BackendTLSPolicySpecTargetRefsPatch[];
+            validation: outputs.gateway.v1.BackendTLSPolicySpecValidationPatch;
+        }
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        interface BackendTLSPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName: string;
+        }
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        interface BackendTLSPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName: string;
+        }
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        interface BackendTLSPolicySpecValidation {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs: outputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefs[];
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames: outputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNames[];
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates: string;
+        }
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface BackendTLSPolicySpecValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface BackendTLSPolicySpecValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        interface BackendTLSPolicySpecValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs: outputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefsPatch[];
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames: outputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNamesPatch[];
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates: string;
+        }
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        interface BackendTLSPolicySpecValidationSubjectAltNames {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type: string;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri: string;
+        }
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        interface BackendTLSPolicySpecValidationSubjectAltNamesPatch {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type: string;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri: string;
+        }
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1.BackendTLSPolicyStatusAncestors[];
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface BackendTLSPolicyStatusAncestors {
+            ancestorRef: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRef;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface BackendTLSPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface BackendTLSPolicyStatusAncestorsAncestorRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface BackendTLSPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface BackendTLSPolicyStatusAncestorsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface BackendTLSPolicyStatusAncestorsPatch {
+            ancestorRef: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRefPatch;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicyStatusPatch {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsPatch[];
+        }
+        /**
+         * GRPCRoute provides a way to route gRPC requests. This includes the capability
+         * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+         * Filters can be used to specify additional processing steps. Backends specify
+         * where matching requests will be routed.
+         *
+         * GRPCRoute falls under extended support within the Gateway API. Within the
+         * following specification, the word "MUST" indicates that an implementation
+         * supporting GRPCRoute must conform to the indicated requirement, but an
+         * implementation not supporting this route type need not follow the requirement
+         * unless explicitly indicated.
+         *
+         * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+         * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+         * ALPN. If the implementation does not support this, then it MUST set the
+         * "Accepted" condition to "False" for the affected listener with a reason of
+         * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+         * with an upgrade from HTTP/1.
+         *
+         * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+         * support HTTP/2 over cleartext TCP (h2c,
+         * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+         * upgrade from HTTP/1.1, i.e. with prior knowledge
+         * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+         * does not support this, then it MUST set the "Accepted" condition to "False"
+         * for the affected listener with a reason of "UnsupportedProtocol".
+         * Implementations MAY also accept HTTP/2 connections with an upgrade from
+         * HTTP/1, i.e. without prior knowledge.
+         */
+        interface GRPCRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "GRPCRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.GRPCRouteSpec;
+            status: outputs.gateway.v1.GRPCRouteStatus;
+        }
+        /**
+         * Spec defines the desired state of GRPCRoute.
+         */
+        interface GRPCRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames to match against the GRPC
+             * Host header to select a GRPCRoute to process the request. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label MUST appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and GRPCRoute, there
+             * MUST be at least one intersecting hostname for the GRPCRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, any
+             * GRPCRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * GRPCRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` MUST NOT be considered for a match.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, and none
+             * match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+             * the implementation. The implementation MUST raise an 'Accepted' Condition
+             * with a status of `False` in the corresponding RouteParentStatus.
+             *
+             * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+             * Listener and that listener already has another Route (B) of the other
+             * type attached and the intersection of the hostnames of A and B is
+             * non-empty, then the implementation MUST accept exactly one of these two
+             * routes, determined by the following criteria, in order:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * The rejected Route MUST raise an 'Accepted' condition with a status of
+             * 'False' in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1.GRPCRouteSpecParentRefs[];
+            /**
+             * Rules are a list of GRPC matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1.GRPCRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface GRPCRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface GRPCRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Spec defines the desired state of GRPCRoute.
+         */
+        interface GRPCRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames to match against the GRPC
+             * Host header to select a GRPCRoute to process the request. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label MUST appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and GRPCRoute, there
+             * MUST be at least one intersecting hostname for the GRPCRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, any
+             * GRPCRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * GRPCRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` MUST NOT be considered for a match.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, and none
+             * match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+             * the implementation. The implementation MUST raise an 'Accepted' Condition
+             * with a status of `False` in the corresponding RouteParentStatus.
+             *
+             * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+             * Listener and that listener already has another Route (B) of the other
+             * type attached and the intersection of the hostnames of A and B is
+             * non-empty, then the implementation MUST accept exactly one of these two
+             * routes, determined by the following criteria, in order:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * The rejected Route MUST raise an 'Accepted' condition with a status of
+             * 'False' in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1.GRPCRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of GRPC matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1.GRPCRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * GRPCRouteRule defines the semantics for matching a gRPC request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface GRPCRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive an `UNAVAILABLE` status.
+             *
+             * See the GRPCBackendRef definition for the rules about what makes a single
+             * GRPCBackendRef invalid.
+             *
+             * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive an `UNAVAILABLE` status.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+             * Implementations may choose how that 50 percent is determined.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefs[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * The effects of ordering of multiple behaviors are currently unspecified.
+             * This can change in the future based on feedback during the alpha stage.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations that support
+             *   GRPCRoute.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * If an implementation cannot support a combination of filters, it must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1.GRPCRouteSpecRulesFilters[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * gRPC requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - method:
+             *     service: foo.bar
+             *   headers:
+             *     values:
+             *       version: 2
+             * - method:
+             *     service: foo.bar.v2
+             * ```
+             *
+             * For a request to match against this rule, it MUST satisfy
+             * EITHER of the two conditions:
+             *
+             * - service of foo.bar AND contains the header `version: 2`
+             * - service of foo.bar.v2
+             *
+             * See the documentation for GRPCRouteMatch on how to specify multiple
+             * match conditions to be ANDed together.
+             *
+             * If no matches are specified, the implementation MUST match every gRPC request.
+             *
+             * Proxy or Load Balancer routing configuration generated from GRPCRoutes
+             * MUST prioritize rules based on the following criteria, continuing on
+             * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+             * Precedence MUST be given to the rule with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             * * Characters in a matching service.
+             * * Characters in a matching method.
+             * * Header matches.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within the Route that has been given precedence,
+             * matching precedence MUST be granted to the first matching rule meeting
+             * the above criteria.
+             */
+            matches: outputs.gateway.v1.GRPCRouteSpecRulesMatches[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            sessionPersistence: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistence;
+        }
+        /**
+         * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface GRPCRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level MUST be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in GRPCRouteRule.)
+             */
+            filters: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFilters[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFilters {
+            extensionRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersExtensionRef;
+            requestHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirror;
+            responseHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type: string;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersPatch {
+            extensionRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch;
+            requestHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch;
+            responseHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type: string;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface GRPCRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level MUST be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in GRPCRouteRule.)
+             */
+            filters: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersPatch[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface GRPCRouteSpecRulesFilters {
+            extensionRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersExtensionRef;
+            requestHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirror;
+            responseHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type: string;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        interface GRPCRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        interface GRPCRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface GRPCRouteSpecRulesFiltersPatch {
+            extensionRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersExtensionRefPatch;
+            requestHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorPatch;
+            responseHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type: string;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirror {
+            backendRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * GRPCRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a gRPC request only if its service
+         * is `foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * matches:
+         *   - method:
+         *     type: Exact
+         *     service: "foo"
+         *     headers:
+         *   - name: "version"
+         *     value "v1"
+         *
+         * ```
+         */
+        interface GRPCRouteSpecRulesMatches {
+            /**
+             * Headers specifies gRPC request header matchers. Multiple match values are
+             * ANDed together, meaning, a request MUST match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1.GRPCRouteSpecRulesMatchesHeaders[];
+            method: outputs.gateway.v1.GRPCRouteSpecRulesMatchesMethod;
+        }
+        /**
+         * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+         * headers.
+         */
+        interface GRPCRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the gRPC Header to be matched.
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             */
+            type: string;
+            /**
+             * Value is the value of the gRPC Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+         * headers.
+         */
+        interface GRPCRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the gRPC Header to be matched.
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             */
+            type: string;
+            /**
+             * Value is the value of the gRPC Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * Method specifies a gRPC request service/method matcher. If this field is
+         * not specified, all services and methods will match.
+         */
+        interface GRPCRouteSpecRulesMatchesMethod {
+            /**
+             * Value of the method to match against. If left empty or omitted, will
+             * match all services.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            method: string;
+            /**
+             * Value of the service to match against. If left empty or omitted, will
+             * match any service.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            service: string;
+            /**
+             * Type specifies how to match against the service and/or method.
+             * Support: Core (Exact with service and method specified)
+             *
+             * Support: Implementation-specific (Exact with method specified but no service specified)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+        }
+        /**
+         * Method specifies a gRPC request service/method matcher. If this field is
+         * not specified, all services and methods will match.
+         */
+        interface GRPCRouteSpecRulesMatchesMethodPatch {
+            /**
+             * Value of the method to match against. If left empty or omitted, will
+             * match all services.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            method: string;
+            /**
+             * Value of the service to match against. If left empty or omitted, will
+             * match any service.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            service: string;
+            /**
+             * Type specifies how to match against the service and/or method.
+             * Support: Core (Exact with service and method specified)
+             *
+             * Support: Implementation-specific (Exact with method specified but no service specified)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+        }
+        /**
+         * GRPCRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a gRPC request only if its service
+         * is `foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * matches:
+         *   - method:
+         *     type: Exact
+         *     service: "foo"
+         *     headers:
+         *   - name: "version"
+         *     value "v1"
+         *
+         * ```
+         */
+        interface GRPCRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies gRPC request header matchers. Multiple match values are
+             * ANDed together, meaning, a request MUST match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1.GRPCRouteSpecRulesMatchesHeadersPatch[];
+            method: outputs.gateway.v1.GRPCRouteSpecRulesMatchesMethodPatch;
+        }
+        /**
+         * GRPCRouteRule defines the semantics for matching a gRPC request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface GRPCRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive an `UNAVAILABLE` status.
+             *
+             * See the GRPCBackendRef definition for the rules about what makes a single
+             * GRPCBackendRef invalid.
+             *
+             * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive an `UNAVAILABLE` status.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+             * Implementations may choose how that 50 percent is determined.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * The effects of ordering of multiple behaviors are currently unspecified.
+             * This can change in the future based on feedback during the alpha stage.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations that support
+             *   GRPCRoute.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * If an implementation cannot support a combination of filters, it must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1.GRPCRouteSpecRulesFiltersPatch[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * gRPC requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - method:
+             *     service: foo.bar
+             *   headers:
+             *     values:
+             *       version: 2
+             * - method:
+             *     service: foo.bar.v2
+             * ```
+             *
+             * For a request to match against this rule, it MUST satisfy
+             * EITHER of the two conditions:
+             *
+             * - service of foo.bar AND contains the header `version: 2`
+             * - service of foo.bar.v2
+             *
+             * See the documentation for GRPCRouteMatch on how to specify multiple
+             * match conditions to be ANDed together.
+             *
+             * If no matches are specified, the implementation MUST match every gRPC request.
+             *
+             * Proxy or Load Balancer routing configuration generated from GRPCRoutes
+             * MUST prioritize rules based on the following criteria, continuing on
+             * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+             * Precedence MUST be given to the rule with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             * * Characters in a matching service.
+             * * Characters in a matching method.
+             * * Header matches.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within the Route that has been given precedence,
+             * matching precedence MUST be granted to the first matching rule meeting
+             * the above criteria.
+             */
+            matches: outputs.gateway.v1.GRPCRouteSpecRulesMatchesPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            sessionPersistence: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistencePatch;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistenceCookieConfig;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface GRPCRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+        /**
+         * Status defines the current state of GRPCRoute.
+         */
+        interface GRPCRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1.GRPCRouteStatusParents[];
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface GRPCRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1.GRPCRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1.GRPCRouteStatusParentsParentRef;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GRPCRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GRPCRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface GRPCRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface GRPCRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface GRPCRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1.GRPCRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1.GRPCRouteStatusParentsParentRefPatch;
+        }
+        /**
+         * Status defines the current state of GRPCRoute.
+         */
+        interface GRPCRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1.GRPCRouteStatusParentsPatch[];
+        }
+        /**
+         * Gateway represents an instance of a service-traffic handling infrastructure
+         * by binding Listeners to a set of IP addresses.
+         */
+        interface Gateway {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Gateway";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.GatewaySpec;
+            status: outputs.gateway.v1.GatewayStatus;
+        }
+        /**
+         * GatewayClass describes a class of Gateways available to the user for creating
+         * Gateway resources.
+         *
+         * It is recommended that this resource be used as a template for Gateways. This
+         * means that a Gateway is based on the state of the GatewayClass at the time it
+         * was created and changes to the GatewayClass or associated parameters are not
+         * propagated down to existing Gateways. This recommendation is intended to
+         * limit the blast radius of changes to GatewayClass or associated parameters.
+         * If implementations choose to propagate GatewayClass changes to existing
+         * Gateways, that MUST be clearly documented by the implementation.
+         *
+         * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+         * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+         * associated GatewayClass. This ensures that a GatewayClass associated with a
+         * Gateway is not deleted while in use.
+         *
+         * GatewayClass is a Cluster level resource.
+         */
+        interface GatewayClass {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "GatewayClass";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.GatewayClassSpec;
+            status: outputs.gateway.v1.GatewayClassStatus;
+        }
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        interface GatewayClassSpec {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1.GatewayClassSpecParametersRef;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewayClassSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewayClassSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        interface GatewayClassSpecPatch {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1.GatewayClassSpecParametersRefPatch;
+        }
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        interface GatewayClassStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1.GatewayClassStatusConditions[];
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1.GatewayClassStatusSupportedFeatures[];
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayClassStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayClassStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        interface GatewayClassStatusPatch {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1.GatewayClassStatusConditionsPatch[];
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1.GatewayClassStatusSupportedFeaturesPatch[];
+        }
+        interface GatewayClassStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+        interface GatewayClassStatusSupportedFeaturesPatch {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        interface GatewaySpec {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses: outputs.gateway.v1.GatewaySpecAddresses[];
+            allowedListeners: outputs.gateway.v1.GatewaySpecAllowedListeners;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope: string;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName: string;
+            infrastructure: outputs.gateway.v1.GatewaySpecInfrastructure;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners: outputs.gateway.v1.GatewaySpecListeners[];
+            tls: outputs.gateway.v1.GatewaySpecTls;
+        }
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        interface GatewaySpecAddresses {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        interface GatewaySpecAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListeners {
+            namespaces: outputs.gateway.v1.GatewaySpecAllowedListenersNamespaces;
+        }
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersNamespaces {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from: string;
+            selector: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelector;
+        }
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersNamespacesPatch {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from: string;
+            selector: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorPatch;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersPatch {
+            namespaces: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesPatch;
+        }
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecInfrastructure {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels: {
+                [key: string]: string;
+            };
+            parametersRef: outputs.gateway.v1.GatewaySpecInfrastructureParametersRef;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewaySpecInfrastructureParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewaySpecInfrastructureParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecInfrastructurePatch {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels: {
+                [key: string]: string;
+            };
+            parametersRef: outputs.gateway.v1.GatewaySpecInfrastructureParametersRefPatch;
+        }
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        interface GatewaySpecListeners {
+            allowedRoutes: outputs.gateway.v1.GatewaySpecListenersAllowedRoutes;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol: string;
+            tls: outputs.gateway.v1.GatewaySpecListenersTls;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesKinds[];
+            namespaces: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespaces;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewaySpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewaySpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelector;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesKindsPatch[];
+            namespaces: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesPatch;
+        }
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        interface GatewaySpecListenersPatch {
+            allowedRoutes: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesPatch;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol: string;
+            tls: outputs.gateway.v1.GatewaySpecListenersTlsPatch;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsCertificateRefs[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsCertificateRefsPatch[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        interface GatewaySpecPatch {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses: outputs.gateway.v1.GatewaySpecAddressesPatch[];
+            allowedListeners: outputs.gateway.v1.GatewaySpecAllowedListenersPatch;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope: string;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName: string;
+            infrastructure: outputs.gateway.v1.GatewaySpecInfrastructurePatch;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners: outputs.gateway.v1.GatewaySpecListenersPatch[];
+            tls: outputs.gateway.v1.GatewaySpecTlsPatch;
+        }
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecTls {
+            backend: outputs.gateway.v1.GatewaySpecTlsBackend;
+            frontend: outputs.gateway.v1.GatewaySpecTlsFrontend;
+        }
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackend {
+            clientCertificateRef: outputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRef;
+        }
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendClientCertificateRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendClientCertificateRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendPatch {
+            clientCertificateRef: outputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRefPatch;
+        }
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontend {
+            default: outputs.gateway.v1.GatewaySpecTlsFrontendDefault;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort: outputs.gateway.v1.GatewaySpecTlsFrontendPerPort[];
+        }
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        interface GatewaySpecTlsFrontendDefault {
+            validation: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidation;
+        }
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultPatch {
+            validation: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationPatch;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPatch {
+            default: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultPatch;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortPatch[];
+        }
+        interface GatewaySpecTlsFrontendPerPort {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port: number;
+            tls: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTls;
+        }
+        interface GatewaySpecTlsFrontendPerPortPatch {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port: number;
+            tls: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsPatch;
+        }
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTls {
+            validation: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidation;
+        }
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsPatch {
+            validation: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationPatch;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecTlsPatch {
+            backend: outputs.gateway.v1.GatewaySpecTlsBackendPatch;
+            frontend: outputs.gateway.v1.GatewaySpecTlsFrontendPatch;
+        }
+        /**
+         * Status defines the current state of Gateway.
+         */
+        interface GatewayStatus {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses: outputs.gateway.v1.GatewayStatusAddresses[];
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions: outputs.gateway.v1.GatewayStatusConditions[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1.GatewayStatusListeners[];
+        }
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        interface GatewayStatusAddresses {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        interface GatewayStatusAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface GatewayStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1.GatewayStatusListenersConditions[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1.GatewayStatusListenersSupportedKinds[];
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusListenersConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface GatewayStatusListenersPatch {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1.GatewayStatusListenersConditionsPatch[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1.GatewayStatusListenersSupportedKindsPatch[];
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewayStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewayStatusListenersSupportedKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * Status defines the current state of Gateway.
+         */
+        interface GatewayStatusPatch {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses: outputs.gateway.v1.GatewayStatusAddressesPatch[];
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions: outputs.gateway.v1.GatewayStatusConditionsPatch[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1.GatewayStatusListenersPatch[];
+        }
+        /**
+         * HTTPRoute provides a way to route HTTP requests. This includes the capability
+         * to match requests by hostname, path, header, or query param. Filters can be
+         * used to specify additional processing steps. Backends specify where matching
+         * requests should be routed.
+         */
+        interface HTTPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "HTTPRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.HTTPRouteSpec;
+            status: outputs.gateway.v1.HTTPRouteStatus;
+        }
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        interface HTTPRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1.HTTPRouteSpecParentRefs[];
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1.HTTPRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface HTTPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface HTTPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        interface HTTPRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1.HTTPRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1.HTTPRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface HTTPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefs[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1.HTTPRouteSpecRulesFilters[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches: outputs.gateway.v1.HTTPRouteSpecRulesMatches[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            retry: outputs.gateway.v1.HTTPRouteSpecRulesRetry;
+            sessionPersistence: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistence;
+            timeouts: outputs.gateway.v1.HTTPRouteSpecRulesTimeouts;
+        }
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface HTTPRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFilters[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFilters {
+            cors: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCors;
+            extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef;
+            externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth;
+            requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror;
+            requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect;
+            responseHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef;
+            forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody;
+            grpc: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc;
+            http: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch;
+            forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch;
+            grpc: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch;
+            http: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersPatch {
+            cors: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch;
+            extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch;
+            externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch;
+            requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch;
+            requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch;
+            responseHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface HTTPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersPatch[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesFilters {
+            cors: outputs.gateway.v1.HTTPRouteSpecRulesFiltersCors;
+            extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRef;
+            externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuth;
+            requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirror;
+            requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirect;
+            responseHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewrite;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuth {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef;
+            forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody;
+            grpc: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpc;
+            http: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttp;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthPatch {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch;
+            forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch;
+            grpc: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch;
+            http: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesFiltersPatch {
+            cors: outputs.gateway.v1.HTTPRouteSpecRulesFiltersCorsPatch;
+            extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRefPatch;
+            externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthPatch;
+            requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorPatch;
+            requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPatch;
+            responseHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePatch;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirror {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPath;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPathPatch;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePath;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePathPatch;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        interface HTTPRouteSpecRulesMatches {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1.HTTPRouteSpecRulesMatchesHeaders[];
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesMatchesPath;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams: outputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParams[];
+        }
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        interface HTTPRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        interface HTTPRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        interface HTTPRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1.HTTPRouteSpecRulesMatchesHeadersPatch[];
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesMatchesPathPatch;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams: outputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParamsPatch[];
+        }
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        interface HTTPRouteSpecRulesMatchesPath {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value: string;
+        }
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        interface HTTPRouteSpecRulesMatchesPathPatch {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value: string;
+        }
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        interface HTTPRouteSpecRulesMatchesQueryParams {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        interface HTTPRouteSpecRulesMatchesQueryParamsPatch {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface HTTPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1.HTTPRouteSpecRulesFiltersPatch[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches: outputs.gateway.v1.HTTPRouteSpecRulesMatchesPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            retry: outputs.gateway.v1.HTTPRouteSpecRulesRetryPatch;
+            sessionPersistence: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistencePatch;
+            timeouts: outputs.gateway.v1.HTTPRouteSpecRulesTimeoutsPatch;
+        }
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesRetry {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts: number;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff: string;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes: number[];
+        }
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesRetryPatch {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts: number;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff: string;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes: number[];
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistenceCookieConfig;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesTimeouts {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest: string;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request: string;
+        }
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesTimeoutsPatch {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest: string;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request: string;
+        }
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        interface HTTPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1.HTTPRouteStatusParents[];
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface HTTPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1.HTTPRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1.HTTPRouteStatusParentsParentRef;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface HTTPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface HTTPRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface HTTPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface HTTPRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface HTTPRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1.HTTPRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1.HTTPRouteStatusParentsParentRefPatch;
+        }
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        interface HTTPRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1.HTTPRouteStatusParentsPatch[];
+        }
+    }
+    namespace v1alpha1 {
+        /**
+         * XBackendTrafficPolicy defines the configuration for how traffic to a
+         * target backend should be handled.
+         */
+        interface XBackendTrafficPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.x-k8s.io/v1alpha1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "XBackendTrafficPolicy";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha1.XBackendTrafficPolicySpec;
+            status: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatus;
+        }
+        /**
+         * Spec defines the desired state of BackendTrafficPolicy.
+         */
+        interface XBackendTrafficPolicySpec {
+            retryConstraint: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraint;
+            sessionPersistence: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistence;
+            /**
+             * TargetRefs identifies API object(s) to apply this policy to.
+             * Currently, Backends (A grouping of like endpoints such as Service,
+             * ServiceImport, or any implementation-specific backendRef) are the only
+             * valid API target references.
+             *
+             * Currently, a TargetRef can not be scoped to a specific port on a
+             * Service.
+             */
+            targetRefs: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefs[];
+        }
+        /**
+         * Spec defines the desired state of BackendTrafficPolicy.
+         */
+        interface XBackendTrafficPolicySpecPatch {
+            retryConstraint: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintPatch;
+            sessionPersistence: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistencePatch;
+            /**
+             * TargetRefs identifies API object(s) to apply this policy to.
+             * Currently, Backends (A grouping of like endpoints such as Service,
+             * ServiceImport, or any implementation-specific backendRef) are the only
+             * valid API target references.
+             *
+             * Currently, a TargetRef can not be scoped to a specific port on a
+             * Service.
+             */
+            targetRefs: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefsPatch[];
+        }
+        /**
+         * RetryConstraint defines the configuration for when to allow or prevent
+         * further retries to a target backend, by dynamically calculating a 'retry
+         * budget'. This budget is calculated based on the percentage of incoming
+         * traffic composed of retries over a given time interval. Once the budget
+         * is exceeded, additional retries will be rejected.
+         *
+         * For example, if the retry budget interval is 10 seconds, there have been
+         * 1000 active requests in the past 10 seconds, and the allowed percentage
+         * of requests that can be retried is 20% (the default), then 200 of those
+         * requests may be composed of retries. Active requests will only be
+         * considered for the duration of the interval when calculating the retry
+         * budget. Retrying the same original request multiple times within the
+         * retry budget interval will lead to each retry being counted towards
+         * calculating the budget.
+         *
+         * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+         * HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+         * backend. While the HTTPRouteRule Retry stanza can specify whether a
+         * request will be retried, and the number of retry attempts each client
+         * may perform, RetryConstraint helps prevent cascading failures such as
+         * retry storms during periods of consistent failures.
+         *
+         * After the retry budget has been exceeded, additional retries to the
+         * backend MUST return a 503 response to the client.
+         *
+         * Additional configurations for defining a constraint on retries MAY be
+         * defined in the future.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecRetryConstraint {
+            budget: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudget;
+            minRetryRate: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRate;
+        }
+        /**
+         * Budget holds the details of the retry budget configuration.
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintBudget {
+            /**
+             * Interval defines the duration in which requests will be considered
+             * for calculating the budget for retries.
+             *
+             * Support: Extended
+             */
+            interval: string;
+            /**
+             * Percent defines the maximum percentage of active requests that may
+             * be made up of retries.
+             *
+             * Support: Extended
+             */
+            percent: number;
+        }
+        /**
+         * Budget holds the details of the retry budget configuration.
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintBudgetPatch {
+            /**
+             * Interval defines the duration in which requests will be considered
+             * for calculating the budget for retries.
+             *
+             * Support: Extended
+             */
+            interval: string;
+            /**
+             * Percent defines the maximum percentage of active requests that may
+             * be made up of retries.
+             *
+             * Support: Extended
+             */
+            percent: number;
+        }
+        /**
+         * MinRetryRate defines the minimum rate of retries that will be allowable
+         * over a specified duration of time.
+         *
+         * The effective overall minimum rate of retries targeting the backend
+         * service may be much higher, as there can be any number of clients which
+         * are applying this setting locally.
+         *
+         * This ensures that requests can still be retried during periods of low
+         * traffic, where the budget for retries may be calculated as a very low
+         * value.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintMinRetryRate {
+            /**
+             * Count specifies the number of requests per time interval.
+             *
+             * Support: Extended
+             */
+            count: number;
+            /**
+             * Interval specifies the divisor of the rate of requests, the amount of
+             * time during which the given count of requests occur.
+             *
+             * Support: Extended
+             */
+            interval: string;
+        }
+        /**
+         * MinRetryRate defines the minimum rate of retries that will be allowable
+         * over a specified duration of time.
+         *
+         * The effective overall minimum rate of retries targeting the backend
+         * service may be much higher, as there can be any number of clients which
+         * are applying this setting locally.
+         *
+         * This ensures that requests can still be retried during periods of low
+         * traffic, where the budget for retries may be calculated as a very low
+         * value.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch {
+            /**
+             * Count specifies the number of requests per time interval.
+             *
+             * Support: Extended
+             */
+            count: number;
+            /**
+             * Interval specifies the divisor of the rate of requests, the amount of
+             * time during which the given count of requests occur.
+             *
+             * Support: Extended
+             */
+            interval: string;
+        }
+        /**
+         * RetryConstraint defines the configuration for when to allow or prevent
+         * further retries to a target backend, by dynamically calculating a 'retry
+         * budget'. This budget is calculated based on the percentage of incoming
+         * traffic composed of retries over a given time interval. Once the budget
+         * is exceeded, additional retries will be rejected.
+         *
+         * For example, if the retry budget interval is 10 seconds, there have been
+         * 1000 active requests in the past 10 seconds, and the allowed percentage
+         * of requests that can be retried is 20% (the default), then 200 of those
+         * requests may be composed of retries. Active requests will only be
+         * considered for the duration of the interval when calculating the retry
+         * budget. Retrying the same original request multiple times within the
+         * retry budget interval will lead to each retry being counted towards
+         * calculating the budget.
+         *
+         * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+         * HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+         * backend. While the HTTPRouteRule Retry stanza can specify whether a
+         * request will be retried, and the number of retry attempts each client
+         * may perform, RetryConstraint helps prevent cascading failures such as
+         * retry storms during periods of consistent failures.
+         *
+         * After the retry budget has been exceeded, additional retries to the
+         * backend MUST return a 503 response to the client.
+         *
+         * Additional configurations for defining a constraint on retries MAY be
+         * defined in the future.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecRetryConstraintPatch {
+            budget: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudgetPatch;
+            minRetryRate: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the backend.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfig;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface XBackendTrafficPolicySpecSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the backend.
+         *
+         * Support: Extended
+         */
+        interface XBackendTrafficPolicySpecSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+        /**
+         * LocalPolicyTargetReference identifies an API object to apply a direct or
+         * inherited policy to. This should be used as part of Policy resources
+         * that can target Gateway API resources. For more information on how this
+         * policy attachment model works, and a sample Policy resource, refer to
+         * the policy attachment documentation for Gateway API.
+         */
+        interface XBackendTrafficPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+        }
+        /**
+         * LocalPolicyTargetReference identifies an API object to apply a direct or
+         * inherited policy to. This should be used as part of Policy resources
+         * that can target Gateway API resources. For more information on how this
+         * policy attachment model works, and a sample Policy resource, refer to
+         * the policy attachment documentation for Gateway API.
+         */
+        interface XBackendTrafficPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+        }
+        /**
+         * Status defines the current state of BackendTrafficPolicy.
+         */
+        interface XBackendTrafficPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestors[];
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface XBackendTrafficPolicyStatusAncestors {
+            ancestorRef: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRef;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface XBackendTrafficPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface XBackendTrafficPolicyStatusAncestorsAncestorRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XBackendTrafficPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XBackendTrafficPolicyStatusAncestorsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface XBackendTrafficPolicyStatusAncestorsPatch {
+            ancestorRef: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRefPatch;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+        /**
+         * Status defines the current state of BackendTrafficPolicy.
+         */
+        interface XBackendTrafficPolicyStatusPatch {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsPatch[];
+        }
+        /**
+         * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+         * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+         *
+         * The parent Gateway must explicitly allow ListenerSet attachment through its
+         * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+         * attachment.
+         *
+         * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+         * optionally target specific listeners using the sectionName field.
+         *
+         * Policy Attachment:
+         * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+         * - Policies do not impact listeners in the parent Gateway
+         * - Different ListenerSets attached to the same Gateway can have different policies
+         * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+         *
+         * ReferenceGrant Semantics:
+         * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+         * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+         * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+         *
+         * Gateway Integration:
+         * - The parent Gateway's status will include an "AttachedListenerSets" condition
+         * - This condition will be:
+         *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+         *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+         *   - Unknown: when no AllowedListeners config is present
+         */
+        interface XListenerSet {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.x-k8s.io/v1alpha1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "XListenerSet";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha1.XListenerSetSpec;
+            status: outputs.gateway.v1alpha1.XListenerSetStatus;
+        }
+        /**
+         * Spec defines the desired state of ListenerSet.
+         */
+        interface XListenerSetSpec {
+            /**
+             * Listeners associated with this ListenerSet. Listeners define
+             * logical endpoints that are bound on this referenced parent Gateway's addresses.
+             *
+             * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+             * as a list when programming the underlying infrastructure. Each listener
+             * name does not need to be unique across the Gateway and ListenerSets.
+             * See ListenerEntry.Name for more details.
+             *
+             * Implementations MUST treat the parent Gateway as having the merged
+             * list of all listeners from itself and attached ListenerSets using
+             * the following precedence:
+             *
+             * 1. "parent" Gateway
+             * 2. ListenerSet ordered by creation time (oldest first)
+             * 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+             *
+             * An implementation MAY reject listeners by setting the ListenerEntryStatus
+             * `Accepted` condition to False with the Reason `TooManyListeners`
+             *
+             * If a listener has a conflict, this will be reported in the
+             * Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+             *
+             * Implementations SHOULD be cautious about what information from the
+             * parent or siblings are reported to avoid accidentally leaking
+             * sensitive information that the child would not otherwise have access
+             * to. This can include contents of secrets etc.
+             */
+            listeners: outputs.gateway.v1alpha1.XListenerSetSpecListeners[];
+            parentRef: outputs.gateway.v1alpha1.XListenerSetSpecParentRef;
+        }
+        interface XListenerSetSpecListeners {
+            allowedRoutes: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutes;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+             *   protocol layers as described above. If an implementation does not
+             *   ensure that both the SNI and Host header match the Listener hostname,
+             *   it MUST clearly document that.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * ListenerSet.
+             *
+             * Name is not required to be unique across a Gateway and ListenerSets.
+             * Routes can attach to a Listener by having a ListenerSet as a parentRef
+             * and setting the SectionName
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * If the port is not set or specified as zero, the implementation will assign
+             * a unique port. If the implementation does not support dynamic port
+             * assignment, it MUST set `Accepted` condition to `False` with the
+             * `UnsupportedPort` reason.
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             */
+            protocol: string;
+            tls: outputs.gateway.v1alpha1.XListenerSetSpecListenersTls;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         */
+        interface XListenerSetSpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKinds[];
+            namespaces: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespaces;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelector;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         */
+        interface XListenerSetSpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKindsPatch[];
+            namespaces: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesPatch;
+        }
+        interface XListenerSetSpecListenersPatch {
+            allowedRoutes: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesPatch;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+             *   protocol layers as described above. If an implementation does not
+             *   ensure that both the SNI and Host header match the Listener hostname,
+             *   it MUST clearly document that.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * ListenerSet.
+             *
+             * Name is not required to be unique across a Gateway and ListenerSets.
+             * Routes can attach to a Listener by having a ListenerSet as a parentRef
+             * and setting the SectionName
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * If the port is not set or specified as zero, the implementation will assign
+             * a unique port. If the implementation does not support dynamic port
+             * assignment, it MUST set `Accepted` condition to `False` with the
+             * `UnsupportedPort` reason.
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             */
+            protocol: string;
+            tls: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsPatch;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         */
+        interface XListenerSetSpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefs[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface XListenerSetSpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface XListenerSetSpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         */
+        interface XListenerSetSpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefsPatch[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * ParentRef references the Gateway that the listeners are attached to.
+         */
+        interface XListenerSetSpecParentRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Gateway".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.  If not present,
+             * the namespace of the referent is assumed to be the same as
+             * the namespace of the referring object.
+             */
+            namespace: string;
+        }
+        /**
+         * ParentRef references the Gateway that the listeners are attached to.
+         */
+        interface XListenerSetSpecParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Gateway".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.  If not present,
+             * the namespace of the referent is assumed to be the same as
+             * the namespace of the referring object.
+             */
+            namespace: string;
+        }
+        /**
+         * Spec defines the desired state of ListenerSet.
+         */
+        interface XListenerSetSpecPatch {
+            /**
+             * Listeners associated with this ListenerSet. Listeners define
+             * logical endpoints that are bound on this referenced parent Gateway's addresses.
+             *
+             * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+             * as a list when programming the underlying infrastructure. Each listener
+             * name does not need to be unique across the Gateway and ListenerSets.
+             * See ListenerEntry.Name for more details.
+             *
+             * Implementations MUST treat the parent Gateway as having the merged
+             * list of all listeners from itself and attached ListenerSets using
+             * the following precedence:
+             *
+             * 1. "parent" Gateway
+             * 2. ListenerSet ordered by creation time (oldest first)
+             * 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+             *
+             * An implementation MAY reject listeners by setting the ListenerEntryStatus
+             * `Accepted` condition to False with the Reason `TooManyListeners`
+             *
+             * If a listener has a conflict, this will be reported in the
+             * Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+             *
+             * Implementations SHOULD be cautious about what information from the
+             * parent or siblings are reported to avoid accidentally leaking
+             * sensitive information that the child would not otherwise have access
+             * to. This can include contents of secrets etc.
+             */
+            listeners: outputs.gateway.v1alpha1.XListenerSetSpecListenersPatch[];
+            parentRef: outputs.gateway.v1alpha1.XListenerSetSpecParentRefPatch;
+        }
+        /**
+         * Status defines the current state of ListenerSet.
+         */
+        interface XListenerSetStatus {
+            /**
+             * Conditions describe the current conditions of the ListenerSet.
+             *
+             * Implementations MUST express ListenerSet conditions using the
+             * `ListenerSetConditionType` and `ListenerSetConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe ListenerSet state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             */
+            conditions: outputs.gateway.v1alpha1.XListenerSetStatusConditions[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1alpha1.XListenerSetStatusListeners[];
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XListenerSetStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XListenerSetStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface XListenerSetStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1alpha1.XListenerSetStatusListenersConditions[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * Port is the network port the listener is configured to listen on.
+             */
+            port: number;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKinds[];
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XListenerSetStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XListenerSetStatusListenersConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface XListenerSetStatusListenersPatch {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1alpha1.XListenerSetStatusListenersConditionsPatch[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * Port is the network port the listener is configured to listen on.
+             */
+            port: number;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKindsPatch[];
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface XListenerSetStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface XListenerSetStatusListenersSupportedKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * Status defines the current state of ListenerSet.
+         */
+        interface XListenerSetStatusPatch {
+            /**
+             * Conditions describe the current conditions of the ListenerSet.
+             *
+             * Implementations MUST express ListenerSet conditions using the
+             * `ListenerSetConditionType` and `ListenerSetConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe ListenerSet state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             */
+            conditions: outputs.gateway.v1alpha1.XListenerSetStatusConditionsPatch[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1alpha1.XListenerSetStatusListenersPatch[];
+        }
+        /**
+         * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+         */
+        interface XMesh {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.x-k8s.io/v1alpha1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "XMesh";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha1.XMeshSpec;
+            status: outputs.gateway.v1alpha1.XMeshStatus;
+        }
+        /**
+         * Spec defines the desired state of XMesh.
+         */
+        interface XMeshSpec {
+            /**
+             * ControllerName is the name of a controller that is managing Gateway API
+             * resources for mesh traffic management. The value of this field MUST be a
+             * domain prefixed path.
+             *
+             * Example: "example.com/awesome-mesh".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description optionally provides a human-readable description of a Mesh.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1alpha1.XMeshSpecParametersRef;
+        }
+        /**
+         * ParametersRef is an optional reference to a resource that contains
+         * implementation-specific configuration for this Mesh. If no
+         * implementation-specific parameters are needed, this field MUST be
+         * omitted.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e.
+         * ConfigMap, or an implementation-specific custom resource. The resource
+         * can be cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Mesh MUST be rejected
+         * with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface XMeshSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+        /**
+         * ParametersRef is an optional reference to a resource that contains
+         * implementation-specific configuration for this Mesh. If no
+         * implementation-specific parameters are needed, this field MUST be
+         * omitted.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e.
+         * ConfigMap, or an implementation-specific custom resource. The resource
+         * can be cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Mesh MUST be rejected
+         * with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface XMeshSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+        /**
+         * Spec defines the desired state of XMesh.
+         */
+        interface XMeshSpecPatch {
+            /**
+             * ControllerName is the name of a controller that is managing Gateway API
+             * resources for mesh traffic management. The value of this field MUST be a
+             * domain prefixed path.
+             *
+             * Example: "example.com/awesome-mesh".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description optionally provides a human-readable description of a Mesh.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1alpha1.XMeshSpecParametersRefPatch;
+        }
+        /**
+         * Status defines the current state of XMesh.
+         */
+        interface XMeshStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this Mesh.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of MeshConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1alpha1.XMeshStatusConditions[];
+            /**
+             * SupportedFeatures is the set of features the Mesh support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1alpha1.XMeshStatusSupportedFeatures[];
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XMeshStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface XMeshStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Status defines the current state of XMesh.
+         */
+        interface XMeshStatusPatch {
+            /**
+             * Conditions is the current status from the controller for
+             * this Mesh.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of MeshConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1alpha1.XMeshStatusConditionsPatch[];
+            /**
+             * SupportedFeatures is the set of features the Mesh support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1alpha1.XMeshStatusSupportedFeaturesPatch[];
+        }
+        interface XMeshStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+        interface XMeshStatusSupportedFeaturesPatch {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+    }
+    namespace v1alpha2 {
+        /**
+         * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+         * listener, it can be used to forward connections on the port specified by the
+         * listener to a set of backends specified by the TCPRoute.
+         */
+        interface TCPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha2";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "TCPRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha2.TCPRouteSpec;
+            status: outputs.gateway.v1alpha2.TCPRouteStatus;
+        }
+        /**
+         * Spec defines the desired state of TCPRoute.
+         */
+        interface TCPRouteSpec {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.TCPRouteSpecParentRefs[];
+            /**
+             * Rules are a list of TCP matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.TCPRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TCPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TCPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Spec defines the desired state of TCPRoute.
+         */
+        interface TCPRouteSpecPatch {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.TCPRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of TCP matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.TCPRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * TCPRouteRule is the configuration for a given rule.
+         */
+        interface TCPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Connection rejections must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * connections, then 80% of connections must be rejected instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefs[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TCPRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TCPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * TCPRouteRule is the configuration for a given rule.
+         */
+        interface TCPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Connection rejections must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * connections, then 80% of connections must be rejected instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+        /**
+         * Status defines the current state of TCPRoute.
+         */
+        interface TCPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.TCPRouteStatusParents[];
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TCPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.TCPRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.TCPRouteStatusParentsParentRef;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TCPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TCPRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TCPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TCPRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TCPRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.TCPRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.TCPRouteStatusParentsParentRefPatch;
+        }
+        /**
+         * Status defines the current state of TCPRoute.
+         */
+        interface TCPRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.TCPRouteStatusParentsPatch[];
+        }
+        /**
+         * The TLSRoute resource is similar to TCPRoute, but can be configured
+         * to match against TLS-specific metadata. This allows more flexibility
+         * in matching streams for a given TLS listener.
+         *
+         * If you need to forward traffic to a single target for a TLS listener, you
+         * could choose to use a TCPRoute with a TLS listener.
+         */
+        interface TLSRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha2";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "TLSRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha2.TLSRouteSpec;
+            status: outputs.gateway.v1alpha2.TLSRouteStatus;
+        }
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        interface TLSRouteSpec {
+            /**
+             * Hostnames defines a set of SNI names that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI names per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.TLSRouteSpecParentRefs[];
+            /**
+             * Rules are a list of TLS matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.TLSRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TLSRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TLSRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        interface TLSRouteSpecPatch {
+            /**
+             * Hostnames defines a set of SNI names that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI names per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.TLSRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of TLS matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.TLSRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        interface TLSRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefs[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TLSRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TLSRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        interface TLSRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        interface TLSRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.TLSRouteStatusParents[];
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TLSRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.TLSRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.TLSRouteStatusParentsParentRef;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TLSRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TLSRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TLSRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TLSRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TLSRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.TLSRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.TLSRouteStatusParentsParentRefPatch;
+        }
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        interface TLSRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.TLSRouteStatusParentsPatch[];
+        }
+        /**
+         * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+         * listener, it can be used to forward traffic on the port specified by the
+         * listener to a set of backends specified by the UDPRoute.
+         */
+        interface UDPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha2";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "UDPRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha2.UDPRouteSpec;
+            status: outputs.gateway.v1alpha2.UDPRouteStatus;
+        }
+        /**
+         * Spec defines the desired state of UDPRoute.
+         */
+        interface UDPRouteSpec {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.UDPRouteSpecParentRefs[];
+            /**
+             * Rules are a list of UDP matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.UDPRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface UDPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface UDPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Spec defines the desired state of UDPRoute.
+         */
+        interface UDPRouteSpecPatch {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.UDPRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of UDP matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.UDPRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * UDPRouteRule is the configuration for a given rule.
+         */
+        interface UDPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Packet drops must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * the packets, then 80% of packets must be dropped instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefs[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface UDPRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface UDPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * UDPRouteRule is the configuration for a given rule.
+         */
+        interface UDPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Packet drops must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * the packets, then 80% of packets must be dropped instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+        /**
+         * Status defines the current state of UDPRoute.
+         */
+        interface UDPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.UDPRouteStatusParents[];
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface UDPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.UDPRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.UDPRouteStatusParentsParentRef;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface UDPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface UDPRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface UDPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface UDPRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface UDPRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.UDPRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.UDPRouteStatusParentsParentRefPatch;
+        }
+        /**
+         * Status defines the current state of UDPRoute.
+         */
+        interface UDPRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.UDPRouteStatusParentsPatch[];
+        }
+    }
+    namespace v1alpha3 {
+        /**
+         * BackendTLSPolicy provides a way to configure how a Gateway
+         * connects to a Backend via TLS.
+         */
+        interface BackendTLSPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha3";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "BackendTLSPolicy";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha3.BackendTLSPolicySpec;
+            status: outputs.gateway.v1alpha3.BackendTLSPolicyStatus;
+        }
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicySpec {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefs[];
+            validation: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidation;
+        }
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicySpecPatch {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefsPatch[];
+            validation: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationPatch;
+        }
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        interface BackendTLSPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName: string;
+        }
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        interface BackendTLSPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName: string;
+        }
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        interface BackendTLSPolicySpecValidation {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefs[];
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNames[];
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates: string;
+        }
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface BackendTLSPolicySpecValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface BackendTLSPolicySpecValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        interface BackendTLSPolicySpecValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefsPatch[];
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNamesPatch[];
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates: string;
+        }
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        interface BackendTLSPolicySpecValidationSubjectAltNames {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type: string;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri: string;
+        }
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        interface BackendTLSPolicySpecValidationSubjectAltNamesPatch {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type: string;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri: string;
+        }
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestors[];
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface BackendTLSPolicyStatusAncestors {
+            ancestorRef: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsAncestorRef;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface BackendTLSPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        interface BackendTLSPolicyStatusAncestorsAncestorRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface BackendTLSPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface BackendTLSPolicyStatusAncestorsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        interface BackendTLSPolicyStatusAncestorsPatch {
+            ancestorRef: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsAncestorRefPatch;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        interface BackendTLSPolicyStatusPatch {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsPatch[];
+        }
+        /**
+         * The TLSRoute resource is similar to TCPRoute, but can be configured
+         * to match against TLS-specific metadata. This allows more flexibility
+         * in matching streams for a given TLS listener.
+         *
+         * If you need to forward traffic to a single target for a TLS listener, you
+         * could choose to use a TCPRoute with a TLS listener.
+         */
+        interface TLSRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha3";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "TLSRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha3.TLSRouteSpec;
+            status: outputs.gateway.v1alpha3.TLSRouteStatus;
+        }
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        interface TLSRouteSpec {
+            /**
+             * Hostnames defines a set of SNI hostnames that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI hostnames per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one of `test.example.com` or
+             *   `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one hostname that matches the Listener
+             *   hostname. For example, `test.example.com` and `*.example.com` would both
+             *   match. On the other hand, `example.com` and `test.example.net` would not
+             *   match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha3.TLSRouteSpecParentRefs[];
+            /**
+             * Rules are a list of actions.
+             */
+            rules: outputs.gateway.v1alpha3.TLSRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TLSRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface TLSRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        interface TLSRouteSpecPatch {
+            /**
+             * Hostnames defines a set of SNI hostnames that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI hostnames per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one of `test.example.com` or
+             *   `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one hostname that matches the Listener
+             *   hostname. For example, `test.example.com` and `*.example.com` would both
+             *   match. On the other hand, `example.com` and `test.example.net` would not
+             *   match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha3.TLSRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of actions.
+             */
+            rules: outputs.gateway.v1alpha3.TLSRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        interface TLSRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefs[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TLSRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        interface TLSRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        interface TLSRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        interface TLSRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha3.TLSRouteStatusParents[];
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TLSRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha3.TLSRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha3.TLSRouteStatusParentsParentRef;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TLSRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface TLSRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TLSRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface TLSRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface TLSRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha3.TLSRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha3.TLSRouteStatusParentsParentRefPatch;
+        }
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        interface TLSRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha3.TLSRouteStatusParentsPatch[];
+        }
+    }
+    namespace v1beta1 {
+        /**
+         * Gateway represents an instance of a service-traffic handling infrastructure
+         * by binding Listeners to a set of IP addresses.
+         */
+        interface Gateway {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1beta1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Gateway";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1beta1.GatewaySpec;
+            status: outputs.gateway.v1beta1.GatewayStatus;
+        }
+        /**
+         * GatewayClass describes a class of Gateways available to the user for creating
+         * Gateway resources.
+         *
+         * It is recommended that this resource be used as a template for Gateways. This
+         * means that a Gateway is based on the state of the GatewayClass at the time it
+         * was created and changes to the GatewayClass or associated parameters are not
+         * propagated down to existing Gateways. This recommendation is intended to
+         * limit the blast radius of changes to GatewayClass or associated parameters.
+         * If implementations choose to propagate GatewayClass changes to existing
+         * Gateways, that MUST be clearly documented by the implementation.
+         *
+         * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+         * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+         * associated GatewayClass. This ensures that a GatewayClass associated with a
+         * Gateway is not deleted while in use.
+         *
+         * GatewayClass is a Cluster level resource.
+         */
+        interface GatewayClass {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1beta1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "GatewayClass";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1beta1.GatewayClassSpec;
+            status: outputs.gateway.v1beta1.GatewayClassStatus;
+        }
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        interface GatewayClassSpec {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1beta1.GatewayClassSpecParametersRef;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewayClassSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewayClassSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        interface GatewayClassSpecPatch {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1beta1.GatewayClassSpecParametersRefPatch;
+        }
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        interface GatewayClassStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1beta1.GatewayClassStatusConditions[];
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1beta1.GatewayClassStatusSupportedFeatures[];
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayClassStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayClassStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        interface GatewayClassStatusPatch {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1beta1.GatewayClassStatusConditionsPatch[];
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1beta1.GatewayClassStatusSupportedFeaturesPatch[];
+        }
+        interface GatewayClassStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+        interface GatewayClassStatusSupportedFeaturesPatch {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        interface GatewaySpec {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses: outputs.gateway.v1beta1.GatewaySpecAddresses[];
+            allowedListeners: outputs.gateway.v1beta1.GatewaySpecAllowedListeners;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope: string;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName: string;
+            infrastructure: outputs.gateway.v1beta1.GatewaySpecInfrastructure;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners: outputs.gateway.v1beta1.GatewaySpecListeners[];
+            tls: outputs.gateway.v1beta1.GatewaySpecTls;
+        }
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        interface GatewaySpecAddresses {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        interface GatewaySpecAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListeners {
+            namespaces: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespaces;
+        }
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersNamespaces {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from: string;
+            selector: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelector;
+        }
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersNamespacesPatch {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from: string;
+            selector: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorPatch;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        interface GatewaySpecAllowedListenersNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        interface GatewaySpecAllowedListenersPatch {
+            namespaces: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesPatch;
+        }
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecInfrastructure {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels: {
+                [key: string]: string;
+            };
+            parametersRef: outputs.gateway.v1beta1.GatewaySpecInfrastructureParametersRef;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewaySpecInfrastructureParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        interface GatewaySpecInfrastructureParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecInfrastructurePatch {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels: {
+                [key: string]: string;
+            };
+            parametersRef: outputs.gateway.v1beta1.GatewaySpecInfrastructureParametersRefPatch;
+        }
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        interface GatewaySpecListeners {
+            allowedRoutes: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutes;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol: string;
+            tls: outputs.gateway.v1beta1.GatewaySpecListenersTls;
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKinds[];
+            namespaces: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespaces;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewaySpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewaySpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelector;
+        }
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch;
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKindsPatch[];
+            namespaces: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesPatch;
+        }
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        interface GatewaySpecListenersPatch {
+            allowedRoutes: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesPatch;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol: string;
+            tls: outputs.gateway.v1beta1.GatewaySpecListenersTlsPatch;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefs[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefsPatch[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {
+                [key: string]: string;
+            };
+        }
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        interface GatewaySpecPatch {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses: outputs.gateway.v1beta1.GatewaySpecAddressesPatch[];
+            allowedListeners: outputs.gateway.v1beta1.GatewaySpecAllowedListenersPatch;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope: string;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName: string;
+            infrastructure: outputs.gateway.v1beta1.GatewaySpecInfrastructurePatch;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners: outputs.gateway.v1beta1.GatewaySpecListenersPatch[];
+            tls: outputs.gateway.v1beta1.GatewaySpecTlsPatch;
+        }
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecTls {
+            backend: outputs.gateway.v1beta1.GatewaySpecTlsBackend;
+            frontend: outputs.gateway.v1beta1.GatewaySpecTlsFrontend;
+        }
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackend {
+            clientCertificateRef: outputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRef;
+        }
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendClientCertificateRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendClientCertificateRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsBackendPatch {
+            clientCertificateRef: outputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRefPatch;
+        }
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontend {
+            default: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefault;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPort[];
+        }
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        interface GatewaySpecTlsFrontendDefault {
+            validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidation;
+        }
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultPatch {
+            validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationPatch;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendDefaultValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPatch {
+            default: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultPatch;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortPatch[];
+        }
+        interface GatewaySpecTlsFrontendPerPort {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port: number;
+            tls: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTls;
+        }
+        interface GatewaySpecTlsFrontendPerPortPatch {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port: number;
+            tls: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsPatch;
+        }
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTls {
+            validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidation;
+        }
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsPatch {
+            validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationPatch;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        interface GatewaySpecTlsFrontendPerPortTlsValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        interface GatewaySpecTlsPatch {
+            backend: outputs.gateway.v1beta1.GatewaySpecTlsBackendPatch;
+            frontend: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPatch;
+        }
+        /**
+         * Status defines the current state of Gateway.
+         */
+        interface GatewayStatus {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses: outputs.gateway.v1beta1.GatewayStatusAddresses[];
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions: outputs.gateway.v1beta1.GatewayStatusConditions[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1beta1.GatewayStatusListeners[];
+        }
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        interface GatewayStatusAddresses {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        interface GatewayStatusAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface GatewayStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1beta1.GatewayStatusListenersConditions[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1beta1.GatewayStatusListenersSupportedKinds[];
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface GatewayStatusListenersConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        interface GatewayStatusListenersPatch {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1beta1.GatewayStatusListenersConditionsPatch[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1beta1.GatewayStatusListenersSupportedKindsPatch[];
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewayStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        interface GatewayStatusListenersSupportedKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+        /**
+         * Status defines the current state of Gateway.
+         */
+        interface GatewayStatusPatch {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses: outputs.gateway.v1beta1.GatewayStatusAddressesPatch[];
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions: outputs.gateway.v1beta1.GatewayStatusConditionsPatch[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1beta1.GatewayStatusListenersPatch[];
+        }
+        /**
+         * HTTPRoute provides a way to route HTTP requests. This includes the capability
+         * to match requests by hostname, path, header, or query param. Filters can be
+         * used to specify additional processing steps. Backends specify where matching
+         * requests should be routed.
+         */
+        interface HTTPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1beta1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "HTTPRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1beta1.HTTPRouteSpec;
+            status: outputs.gateway.v1beta1.HTTPRouteStatus;
+        }
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        interface HTTPRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1beta1.HTTPRouteSpecParentRefs[];
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1beta1.HTTPRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface HTTPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        interface HTTPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        interface HTTPRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1beta1.HTTPRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1beta1.HTTPRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface HTTPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefs[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesFilters[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatches[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            retry: outputs.gateway.v1beta1.HTTPRouteSpecRulesRetry;
+            sessionPersistence: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistence;
+            timeouts: outputs.gateway.v1beta1.HTTPRouteSpecRulesTimeouts;
+        }
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface HTTPRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFilters[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFilters {
+            cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCors;
+            extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef;
+            externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth;
+            requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror;
+            requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect;
+            responseHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef;
+            forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody;
+            grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc;
+            http: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch;
+            forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch;
+            grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch;
+            http: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersPatch {
+            cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch;
+            extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch;
+            externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch;
+            requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch;
+            requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch;
+            responseHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        interface HTTPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersPatch[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesFilters {
+            cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCors;
+            extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRef;
+            externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuth;
+            requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirror;
+            requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirect;
+            responseHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewrite;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        interface HTTPRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuth {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef;
+            forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody;
+            grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpc;
+            http: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttp;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersExternalAuthPatch {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch;
+            forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch;
+            grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch;
+            http: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        interface HTTPRouteSpecRulesFiltersPatch {
+            cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCorsPatch;
+            extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRefPatch;
+            externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthPatch;
+            requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorPatch;
+            requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPatch;
+            responseHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePatch;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirror {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPath;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPathPatch;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSet[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch[];
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePath;
+        }
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePathPatch;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        interface HTTPRouteSpecRulesMatches {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesHeaders[];
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPath;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParams[];
+        }
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        interface HTTPRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        interface HTTPRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        interface HTTPRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesHeadersPatch[];
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPathPatch;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParamsPatch[];
+        }
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        interface HTTPRouteSpecRulesMatchesPath {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value: string;
+        }
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        interface HTTPRouteSpecRulesMatchesPathPatch {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value: string;
+        }
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        interface HTTPRouteSpecRulesMatchesQueryParams {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        interface HTTPRouteSpecRulesMatchesQueryParamsPatch {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value: string;
+        }
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        interface HTTPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersPatch[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            retry: outputs.gateway.v1beta1.HTTPRouteSpecRulesRetryPatch;
+            sessionPersistence: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistencePatch;
+            timeouts: outputs.gateway.v1beta1.HTTPRouteSpecRulesTimeoutsPatch;
+        }
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesRetry {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts: number;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff: string;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes: number[];
+        }
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesRetryPatch {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts: number;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff: string;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes: number[];
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistenceCookieConfig;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesTimeouts {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest: string;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request: string;
+        }
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        interface HTTPRouteSpecRulesTimeoutsPatch {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest: string;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request: string;
+        }
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        interface HTTPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1beta1.HTTPRouteStatusParents[];
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface HTTPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1beta1.HTTPRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1beta1.HTTPRouteStatusParentsParentRef;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface HTTPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        interface HTTPRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface HTTPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        interface HTTPRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        interface HTTPRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1beta1.HTTPRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1beta1.HTTPRouteStatusParentsParentRefPatch;
+        }
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        interface HTTPRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1beta1.HTTPRouteStatusParentsPatch[];
+        }
+        /**
+         * ReferenceGrant identifies kinds of resources in other namespaces that are
+         * trusted to reference the specified kinds of resources in the same namespace
+         * as the policy.
+         *
+         * Each ReferenceGrant can be used to represent a unique trust relationship.
+         * Additional Reference Grants can be used to add to the set of trusted
+         * sources of inbound references for the namespace they are defined within.
+         *
+         * All cross-namespace references in Gateway API (with the exception of cross-namespace
+         * Gateway-route attachment) require a ReferenceGrant.
+         *
+         * ReferenceGrant is a form of runtime verification allowing users to assert
+         * which cross-namespace object references are permitted. Implementations that
+         * support ReferenceGrant MUST NOT permit cross-namespace references which have
+         * no grant, and MUST respond to the removal of a grant by revoking the access
+         * that the grant allowed.
+         */
+        interface ReferenceGrant {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1beta1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "ReferenceGrant";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1beta1.ReferenceGrantSpec;
+        }
+        /**
+         * Spec defines the desired state of ReferenceGrant.
+         */
+        interface ReferenceGrantSpec {
+            /**
+             * From describes the trusted namespaces and kinds that can reference the
+             * resources described in "To". Each entry in this list MUST be considered
+             * to be an additional place that references can be valid from, or to put
+             * this another way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            from: outputs.gateway.v1beta1.ReferenceGrantSpecFrom[];
+            /**
+             * To describes the resources that may be referenced by the resources
+             * described in "From". Each entry in this list MUST be considered to be an
+             * additional place that references can be valid to, or to put this another
+             * way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            to: outputs.gateway.v1beta1.ReferenceGrantSpecTo[];
+        }
+        /**
+         * ReferenceGrantFrom describes trusted namespaces and kinds.
+         */
+        interface ReferenceGrantSpecFrom {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field.
+             *
+             * When used to permit a SecretObjectReference:
+             *
+             * * Gateway
+             *
+             * When used to permit a BackendObjectReference:
+             *
+             * * GRPCRoute
+             * * HTTPRoute
+             * * TCPRoute
+             * * TLSRoute
+             * * UDPRoute
+             */
+            kind: string;
+            /**
+             * Namespace is the namespace of the referent.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * ReferenceGrantFrom describes trusted namespaces and kinds.
+         */
+        interface ReferenceGrantSpecFromPatch {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field.
+             *
+             * When used to permit a SecretObjectReference:
+             *
+             * * Gateway
+             *
+             * When used to permit a BackendObjectReference:
+             *
+             * * GRPCRoute
+             * * HTTPRoute
+             * * TCPRoute
+             * * TLSRoute
+             * * UDPRoute
+             */
+            kind: string;
+            /**
+             * Namespace is the namespace of the referent.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+        /**
+         * Spec defines the desired state of ReferenceGrant.
+         */
+        interface ReferenceGrantSpecPatch {
+            /**
+             * From describes the trusted namespaces and kinds that can reference the
+             * resources described in "To". Each entry in this list MUST be considered
+             * to be an additional place that references can be valid from, or to put
+             * this another way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            from: outputs.gateway.v1beta1.ReferenceGrantSpecFromPatch[];
+            /**
+             * To describes the resources that may be referenced by the resources
+             * described in "From". Each entry in this list MUST be considered to be an
+             * additional place that references can be valid to, or to put this another
+             * way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            to: outputs.gateway.v1beta1.ReferenceGrantSpecToPatch[];
+        }
+        /**
+         * ReferenceGrantTo describes what Kinds are allowed as targets of the
+         * references.
+         */
+        interface ReferenceGrantSpecTo {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field:
+             *
+             * * Secret when used to permit a SecretObjectReference
+             * * Service when used to permit a BackendObjectReference
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent. When unspecified, this policy
+             * refers to all resources of the specified Group and Kind in the local
+             * namespace.
+             */
+            name: string;
+        }
+        /**
+         * ReferenceGrantTo describes what Kinds are allowed as targets of the
+         * references.
+         */
+        interface ReferenceGrantSpecToPatch {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field:
+             *
+             * * Secret when used to permit a SecretObjectReference
+             * * Service when used to permit a BackendObjectReference
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent. When unspecified, this policy
+             * refers to all resources of the specified Group and Kind in the local
+             * namespace.
+             */
+            name: string;
+        }
+    }
+}
+export declare namespace meta {
+    namespace v1 {
+        /**
+         * ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
+         */
+        interface ListMeta {
+            /**
+             * continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.
+             */
+            continue: string;
+            /**
+             * remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.
+             */
+            remainingItemCount: number;
+            /**
+             * String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion: string;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink: string;
+        }
+        /**
+         * ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.
+         */
+        interface ManagedFieldsEntry {
+            /**
+             * APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.
+             */
+            apiVersion: string;
+            /**
+             * FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"
+             */
+            fieldsType: string;
+            /**
+             * FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+             */
+            fieldsV1: any;
+            /**
+             * Manager is an identifier of the workflow managing these fields.
+             */
+            manager: string;
+            /**
+             * Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.
+             */
+            operation: string;
+            /**
+             * Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.
+             */
+            subresource: string;
+            /**
+             * Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.
+             */
+            time: string;
+        }
+        /**
+         * ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.
+         */
+        interface ManagedFieldsEntryPatch {
+            /**
+             * APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.
+             */
+            apiVersion: string;
+            /**
+             * FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"
+             */
+            fieldsType: string;
+            /**
+             * FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+             */
+            fieldsV1: any;
+            /**
+             * Manager is an identifier of the workflow managing these fields.
+             */
+            manager: string;
+            /**
+             * Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.
+             */
+            operation: string;
+            /**
+             * Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.
+             */
+            subresource: string;
+            /**
+             * Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.
+             */
+            time: string;
+        }
+        /**
+         * ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
+         */
+        interface ObjectMeta {
+            /**
+             * Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+             *
+             * Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            creationTimestamp: string;
+            /**
+             * Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
+             */
+            deletionGracePeriodSeconds: number;
+            /**
+             * DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+             *
+             * Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            deletionTimestamp: string;
+            /**
+             * Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
+             */
+            finalizers: string[];
+            /**
+             * GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+             *
+             * If this field is specified and the generated name exists, the server will return a 409.
+             *
+             * Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+             */
+            generateName: string;
+            /**
+             * A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
+             */
+            generation: number;
+            /**
+             * Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+             */
+            labels: {
+                [key: string]: string;
+            };
+            /**
+             * ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+             */
+            managedFields: outputs.meta.v1.ManagedFieldsEntry[];
+            /**
+             * Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: string;
+            /**
+             * Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+             *
+             * Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+             */
+            namespace: string;
+            /**
+             * List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
+             */
+            ownerReferences: outputs.meta.v1.OwnerReference[];
+            /**
+             * An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+             *
+             * Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion: string;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink: string;
+            /**
+             * UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+             *
+             * Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: string;
+        }
+        /**
+         * ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
+         */
+        interface ObjectMetaPatch {
+            /**
+             * Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+             */
+            annotations: {
+                [key: string]: string;
+            };
+            /**
+             * CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+             *
+             * Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            creationTimestamp: string;
+            /**
+             * Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
+             */
+            deletionGracePeriodSeconds: number;
+            /**
+             * DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+             *
+             * Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            deletionTimestamp: string;
+            /**
+             * Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
+             */
+            finalizers: string[];
+            /**
+             * GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+             *
+             * If this field is specified and the generated name exists, the server will return a 409.
+             *
+             * Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+             */
+            generateName: string;
+            /**
+             * A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
+             */
+            generation: number;
+            /**
+             * Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+             */
+            labels: {
+                [key: string]: string;
+            };
+            /**
+             * ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+             */
+            managedFields: outputs.meta.v1.ManagedFieldsEntryPatch[];
+            /**
+             * Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: string;
+            /**
+             * Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+             *
+             * Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+             */
+            namespace: string;
+            /**
+             * List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
+             */
+            ownerReferences: outputs.meta.v1.OwnerReferencePatch[];
+            /**
+             * An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+             *
+             * Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion: string;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink: string;
+            /**
+             * UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+             *
+             * Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: string;
+        }
+        /**
+         * OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.
+         */
+        interface OwnerReference {
+            /**
+             * API version of the referent.
+             */
+            apiVersion: string;
+            /**
+             * If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.
+             */
+            blockOwnerDeletion: boolean;
+            /**
+             * If true, this reference points to the managing controller.
+             */
+            controller: boolean;
+            /**
+             * Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: string;
+            /**
+             * Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: string;
+            /**
+             * UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: string;
+        }
+        /**
+         * OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.
+         */
+        interface OwnerReferencePatch {
+            /**
+             * API version of the referent.
+             */
+            apiVersion: string;
+            /**
+             * If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.
+             */
+            blockOwnerDeletion: boolean;
+            /**
+             * If true, this reference points to the managing controller.
+             */
+            controller: boolean;
+            /**
+             * Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: string;
+            /**
+             * Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: string;
+            /**
+             * UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: string;
+        }
+    }
+}
diff --git a/generated/crds/types/output.js b/generated/crds/types/output.js
new file mode 100644
index 0000000..9d50076
--- /dev/null
+++ b/generated/crds/types/output.js
@@ -0,0 +1,4 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
diff --git a/generated/crds/types/output.ts b/generated/crds/types/output.ts
new file mode 100644
index 0000000..ef9c829
--- /dev/null
+++ b/generated/crds/types/output.ts
@@ -0,0 +1,52777 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "../types/input";
+import * as outputs from "../types/output";
+
+export namespace acme {
+    export namespace v1 {
+        /**
+         * Challenge is a type to represent a Challenge request with an ACME server
+         */
+        export interface Challenge {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "acme.cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Challenge";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.acme.v1.ChallengeSpec;
+            status: outputs.acme.v1.ChallengeStatus;
+        }
+
+        export interface ChallengeSpec {
+            /**
+             * The URL to the ACME Authorization resource that this
+             * challenge is a part of.
+             */
+            authorizationURL: string;
+            /**
+             * dnsName is the identifier that this challenge is for, e.g., example.com.
+             * If the requested DNSName is a 'wildcard', this field MUST be set to the
+             * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
+             */
+            dnsName: string;
+            issuerRef: outputs.acme.v1.ChallengeSpecIssuerRef;
+            /**
+             * The ACME challenge key for this challenge
+             * For HTTP01 challenges, this is the value that must be responded with to
+             * complete the HTTP01 challenge in the format:
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`.
+             * For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`
+             * text that must be set as the TXT record content.
+             */
+            key: string;
+            solver: outputs.acme.v1.ChallengeSpecSolver;
+            /**
+             * The ACME challenge token for this challenge.
+             * This is the raw value returned from the ACME server.
+             */
+            token: string;
+            /**
+             * The type of ACME challenge this resource represents.
+             * One of "HTTP-01" or "DNS-01".
+             */
+            type: string;
+            /**
+             * The URL of the ACME Challenge resource for this challenge.
+             * This can be used to lookup details about the status of this challenge.
+             */
+            url: string;
+            /**
+             * wildcard will be true if this challenge is for a wildcard identifier,
+             * for example '*.example.com'.
+             */
+            wildcard: boolean;
+        }
+
+        /**
+         * References a properly configured ACME-type Issuer which should
+         * be used to create this Challenge.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Challenge will be marked as failed.
+         */
+        export interface ChallengeSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+
+        /**
+         * References a properly configured ACME-type Issuer which should
+         * be used to create this Challenge.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Challenge will be marked as failed.
+         */
+        export interface ChallengeSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+
+        export interface ChallengeSpecPatch {
+            /**
+             * The URL to the ACME Authorization resource that this
+             * challenge is a part of.
+             */
+            authorizationURL: string;
+            /**
+             * dnsName is the identifier that this challenge is for, e.g., example.com.
+             * If the requested DNSName is a 'wildcard', this field MUST be set to the
+             * non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.
+             */
+            dnsName: string;
+            issuerRef: outputs.acme.v1.ChallengeSpecIssuerRefPatch;
+            /**
+             * The ACME challenge key for this challenge
+             * For HTTP01 challenges, this is the value that must be responded with to
+             * complete the HTTP01 challenge in the format:
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`.
+             * For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+             * `<private key JWK thumbprint>.<key from acme server for challenge>`
+             * text that must be set as the TXT record content.
+             */
+            key: string;
+            solver: outputs.acme.v1.ChallengeSpecSolverPatch;
+            /**
+             * The ACME challenge token for this challenge.
+             * This is the raw value returned from the ACME server.
+             */
+            token: string;
+            /**
+             * The type of ACME challenge this resource represents.
+             * One of "HTTP-01" or "DNS-01".
+             */
+            type: string;
+            /**
+             * The URL of the ACME Challenge resource for this challenge.
+             * This can be used to lookup details about the status of this challenge.
+             */
+            url: string;
+            /**
+             * wildcard will be true if this challenge is for a wildcard identifier,
+             * for example '*.example.com'.
+             */
+            wildcard: boolean;
+        }
+
+        /**
+         * Contains the domain solving configuration that should be used to
+         * solve this challenge resource.
+         */
+        export interface ChallengeSpecSolver {
+            dns01: outputs.acme.v1.ChallengeSpecSolverDns01;
+            http01: outputs.acme.v1.ChallengeSpecSolverHttp01;
+            selector: outputs.acme.v1.ChallengeSpecSolverSelector;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface ChallengeSpecSolverDns01 {
+            acmeDNS: outputs.acme.v1.ChallengeSpecSolverDns01AcmeDNS;
+            akamai: outputs.acme.v1.ChallengeSpecSolverDns01Akamai;
+            azureDNS: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNS;
+            cloudDNS: outputs.acme.v1.ChallengeSpecSolverDns01CloudDNS;
+            cloudflare: outputs.acme.v1.ChallengeSpecSolverDns01Cloudflare;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.acme.v1.ChallengeSpecSolverDns01Digitalocean;
+            rfc2136: outputs.acme.v1.ChallengeSpecSolverDns01Rfc2136;
+            route53: outputs.acme.v1.ChallengeSpecSolverDns01Route53;
+            webhook: outputs.acme.v1.ChallengeSpecSolverDns01Webhook;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AcmeDNS {
+            accountSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSAccountSecretRef;
+            host: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AcmeDNSPatch {
+            accountSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSAccountSecretRefPatch;
+            host: string;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Akamai {
+            accessTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiAccessTokenSecretRef;
+            clientSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientSecretSecretRef;
+            clientTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientTokenSecretRef;
+            serviceConsumerDomain: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AkamaiPatch {
+            accessTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiAccessTokenSecretRefPatch;
+            clientSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientSecretSecretRefPatch;
+            clientTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiClientTokenSecretRefPatch;
+            serviceConsumerDomain: string;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSClientSecretSecretRef;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSManagedIdentity;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSClientSecretSecretRefPatch;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSManagedIdentityPatch;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRef;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRefPatch;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Cloudflare {
+            apiKeySecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiKeySecretRef;
+            apiTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiTokenSecretRef;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface ChallengeSpecSolverDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface ChallengeSpecSolverDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface ChallengeSpecSolverDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface ChallengeSpecSolverDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01CloudflarePatch {
+            apiKeySecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiKeySecretRefPatch;
+            apiTokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01CloudflareApiTokenSecretRefPatch;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Digitalocean {
+            tokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanTokenSecretRef;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01DigitaloceanPatch {
+            tokenSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanTokenSecretRefPatch;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ChallengeSpecSolverDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface ChallengeSpecSolverDns01Patch {
+            acmeDNS: outputs.acme.v1.ChallengeSpecSolverDns01AcmeDNSPatch;
+            akamai: outputs.acme.v1.ChallengeSpecSolverDns01AkamaiPatch;
+            azureDNS: outputs.acme.v1.ChallengeSpecSolverDns01AzureDNSPatch;
+            cloudDNS: outputs.acme.v1.ChallengeSpecSolverDns01CloudDNSPatch;
+            cloudflare: outputs.acme.v1.ChallengeSpecSolverDns01CloudflarePatch;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.acme.v1.ChallengeSpecSolverDns01DigitaloceanPatch;
+            rfc2136: outputs.acme.v1.ChallengeSpecSolverDns01Rfc2136Patch;
+            route53: outputs.acme.v1.ChallengeSpecSolverDns01Route53Patch;
+            webhook: outputs.acme.v1.ChallengeSpecSolverDns01WebhookPatch;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRef;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRefPatch;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface ChallengeSpecSolverDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef;
+            auth: outputs.acme.v1.ChallengeSpecSolverDns01Route53Auth;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53SecretAccessKeySecretRef;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ChallengeSpecSolverDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface ChallengeSpecSolverDns01Route53Auth {
+            kubernetes: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetes;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthKubernetes {
+            serviceAccountRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRef;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthKubernetesPatch {
+            serviceAccountRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRefPatch;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface ChallengeSpecSolverDns01Route53AuthPatch {
+            kubernetes: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthKubernetesPatch;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53AccessKeyIDSecretRefPatch;
+            auth: outputs.acme.v1.ChallengeSpecSolverDns01Route53AuthPatch;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.acme.v1.ChallengeSpecSolverDns01Route53SecretAccessKeySecretRefPatch;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ChallengeSpecSolverDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ChallengeSpecSolverDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {[key: string]: any};
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface ChallengeSpecSolverDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {[key: string]: any};
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface ChallengeSpecSolverHttp01 {
+            gatewayHTTPRoute: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoute;
+            ingress: outputs.acme.v1.ChallengeSpecSolverHttp01Ingress;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {[key: string]: string};
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs[];
+            podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {[key: string]: string};
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRouteParentRefsPatch[];
+            podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplate {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata;
+            spec: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateMetadataPatch;
+            spec: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources;
+            securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch;
+            securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[];
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[];
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ChallengeSpecSolverHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface ChallengeSpecSolverHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplate;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01IngressIngressTemplate {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplateMetadata;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01IngressIngressTemplatePatch {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplateMetadataPatch;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01IngressIngressTemplatePatch;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplate {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateMetadata;
+            spec: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpec;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplatePatch {
+            metadata: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateMetadataPatch;
+            spec: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecPatch;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpec {
+            affinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResources;
+            securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerations[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinity;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecPatch {
+            affinity: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch;
+            securityContext: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch[];
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls[];
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ChallengeSpecSolverHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface ChallengeSpecSolverHttp01Patch {
+            gatewayHTTPRoute: outputs.acme.v1.ChallengeSpecSolverHttp01GatewayHTTPRoutePatch;
+            ingress: outputs.acme.v1.ChallengeSpecSolverHttp01IngressPatch;
+        }
+
+        /**
+         * Contains the domain solving configuration that should be used to
+         * solve this challenge resource.
+         */
+        export interface ChallengeSpecSolverPatch {
+            dns01: outputs.acme.v1.ChallengeSpecSolverDns01Patch;
+            http01: outputs.acme.v1.ChallengeSpecSolverHttp01Patch;
+            selector: outputs.acme.v1.ChallengeSpecSolverSelectorPatch;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface ChallengeSpecSolverSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface ChallengeSpecSolverSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        export interface ChallengeStatus {
+            /**
+             * presented will be set to true if the challenge values for this challenge
+             * are currently 'presented'.
+             * This *does not* imply the self check is passing. Only that the values
+             * have been 'submitted' for the appropriate challenge mechanism (i.e. the
+             * DNS01 TXT record has been presented, or the HTTP01 configuration has been
+             * configured).
+             */
+            presented: boolean;
+            /**
+             * Used to denote whether this challenge should be processed or not.
+             * This field will only be set to true by the 'scheduling' component.
+             * It will only be set to false by the 'challenges' controller, after the
+             * challenge has reached a final state or timed out.
+             * If this field is set to false, the challenge controller will not take
+             * any more action.
+             */
+            processing: boolean;
+            /**
+             * Contains human readable information on why the Challenge is in the
+             * current state.
+             */
+            reason: string;
+            /**
+             * Contains the current 'state' of the challenge.
+             * If not set, the state of the challenge is unknown.
+             */
+            state: string;
+        }
+
+        export interface ChallengeStatusPatch {
+            /**
+             * presented will be set to true if the challenge values for this challenge
+             * are currently 'presented'.
+             * This *does not* imply the self check is passing. Only that the values
+             * have been 'submitted' for the appropriate challenge mechanism (i.e. the
+             * DNS01 TXT record has been presented, or the HTTP01 configuration has been
+             * configured).
+             */
+            presented: boolean;
+            /**
+             * Used to denote whether this challenge should be processed or not.
+             * This field will only be set to true by the 'scheduling' component.
+             * It will only be set to false by the 'challenges' controller, after the
+             * challenge has reached a final state or timed out.
+             * If this field is set to false, the challenge controller will not take
+             * any more action.
+             */
+            processing: boolean;
+            /**
+             * Contains human readable information on why the Challenge is in the
+             * current state.
+             */
+            reason: string;
+            /**
+             * Contains the current 'state' of the challenge.
+             * If not set, the state of the challenge is unknown.
+             */
+            state: string;
+        }
+
+        /**
+         * Order is a type to represent an Order with an ACME server
+         */
+        export interface Order {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "acme.cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Order";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.acme.v1.OrderSpec;
+            status: outputs.acme.v1.OrderStatus;
+        }
+
+        export interface OrderSpec {
+            /**
+             * CommonName is the common name as specified on the DER encoded CSR.
+             * If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            commonName: string;
+            /**
+             * DNSNames is a list of DNS names that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            dnsNames: string[];
+            /**
+             * Duration is the duration for the not after date for the requested certificate.
+             * this is set on order creation as pe the ACME spec.
+             */
+            duration: string;
+            /**
+             * IPAddresses is a list of IP addresses that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            ipAddresses: string[];
+            issuerRef: outputs.acme.v1.OrderSpecIssuerRef;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Certificate signing request bytes in DER encoding.
+             * This will be used when finalizing the order.
+             * This field must be set on the order.
+             */
+            request: string;
+        }
+
+        /**
+         * IssuerRef references a properly configured ACME-type Issuer which should
+         * be used to create this Order.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Order will be marked as failed.
+         */
+        export interface OrderSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+
+        /**
+         * IssuerRef references a properly configured ACME-type Issuer which should
+         * be used to create this Order.
+         * If the Issuer does not exist, processing will be retried.
+         * If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+         * Order will be marked as failed.
+         */
+        export interface OrderSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+
+        export interface OrderSpecPatch {
+            /**
+             * CommonName is the common name as specified on the DER encoded CSR.
+             * If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            commonName: string;
+            /**
+             * DNSNames is a list of DNS names that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            dnsNames: string[];
+            /**
+             * Duration is the duration for the not after date for the requested certificate.
+             * this is set on order creation as pe the ACME spec.
+             */
+            duration: string;
+            /**
+             * IPAddresses is a list of IP addresses that should be included as part of the Order
+             * validation process.
+             * This field must match the corresponding field on the DER encoded CSR.
+             */
+            ipAddresses: string[];
+            issuerRef: outputs.acme.v1.OrderSpecIssuerRefPatch;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Certificate signing request bytes in DER encoding.
+             * This will be used when finalizing the order.
+             * This field must be set on the order.
+             */
+            request: string;
+        }
+
+        export interface OrderStatus {
+            /**
+             * Authorizations contains data returned from the ACME server on what
+             * authorizations must be completed in order to validate the DNS names
+             * specified on the Order.
+             */
+            authorizations: outputs.acme.v1.OrderStatusAuthorizations[];
+            /**
+             * Certificate is a copy of the PEM encoded certificate for this Order.
+             * This field will be populated after the order has been successfully
+             * finalized with the ACME server, and the order has transitioned to the
+             * 'valid' state.
+             */
+            certificate: string;
+            /**
+             * FailureTime stores the time that this order failed.
+             * This is used to influence garbage collection and back-off.
+             */
+            failureTime: string;
+            /**
+             * FinalizeURL of the Order.
+             * This is used to obtain certificates for this order once it has been completed.
+             */
+            finalizeURL: string;
+            /**
+             * Reason optionally provides more information about a why the order is in
+             * the current state.
+             */
+            reason: string;
+            /**
+             * State contains the current state of this Order resource.
+             * States 'success' and 'expired' are 'final'
+             */
+            state: string;
+            /**
+             * URL of the Order.
+             * This will initially be empty when the resource is first created.
+             * The Order controller will populate this field when the Order is first processed.
+             * This field will be immutable after it is initially set.
+             */
+            url: string;
+        }
+
+        /**
+         * ACMEAuthorization contains data returned from the ACME server on an
+         * authorization that must be completed in order validate a DNS name on an ACME
+         * Order resource.
+         */
+        export interface OrderStatusAuthorizations {
+            /**
+             * Challenges specifies the challenge types offered by the ACME server.
+             * One of these challenge types will be selected when validating the DNS
+             * name and an appropriate Challenge resource will be created to perform
+             * the ACME challenge process.
+             */
+            challenges: outputs.acme.v1.OrderStatusAuthorizationsChallenges[];
+            /**
+             * Identifier is the DNS name to be validated as part of this authorization
+             */
+            identifier: string;
+            /**
+             * InitialState is the initial state of the ACME authorization when first
+             * fetched from the ACME server.
+             * If an Authorization is already 'valid', the Order controller will not
+             * create a Challenge resource for the authorization. This will occur when
+             * working with an ACME server that enables 'authz reuse' (such as Let's
+             * Encrypt's production endpoint).
+             * If not set and 'identifier' is set, the state is assumed to be pending
+             * and a Challenge will be created.
+             */
+            initialState: string;
+            /**
+             * URL is the URL of the Authorization that must be completed
+             */
+            url: string;
+            /**
+             * Wildcard will be true if this authorization is for a wildcard DNS name.
+             * If this is true, the identifier will be the *non-wildcard* version of
+             * the DNS name.
+             * For example, if '*.example.com' is the DNS name being validated, this
+             * field will be 'true' and the 'identifier' field will be 'example.com'.
+             */
+            wildcard: boolean;
+        }
+
+        /**
+         * Challenge specifies a challenge offered by the ACME server for an Order.
+         * An appropriate Challenge resource can be created to perform the ACME
+         * challenge process.
+         */
+        export interface OrderStatusAuthorizationsChallenges {
+            /**
+             * Token is the token that must be presented for this challenge.
+             * This is used to compute the 'key' that must also be presented.
+             */
+            token: string;
+            /**
+             * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01',
+             * 'tls-sni-01', etc.
+             * This is the raw value retrieved from the ACME server.
+             * Only 'http-01' and 'dns-01' are supported by cert-manager, other values
+             * will be ignored.
+             */
+            type: string;
+            /**
+             * URL is the URL of this challenge. It can be used to retrieve additional
+             * metadata about the Challenge from the ACME server.
+             */
+            url: string;
+        }
+
+        /**
+         * Challenge specifies a challenge offered by the ACME server for an Order.
+         * An appropriate Challenge resource can be created to perform the ACME
+         * challenge process.
+         */
+        export interface OrderStatusAuthorizationsChallengesPatch {
+            /**
+             * Token is the token that must be presented for this challenge.
+             * This is used to compute the 'key' that must also be presented.
+             */
+            token: string;
+            /**
+             * Type is the type of challenge being offered, e.g., 'http-01', 'dns-01',
+             * 'tls-sni-01', etc.
+             * This is the raw value retrieved from the ACME server.
+             * Only 'http-01' and 'dns-01' are supported by cert-manager, other values
+             * will be ignored.
+             */
+            type: string;
+            /**
+             * URL is the URL of this challenge. It can be used to retrieve additional
+             * metadata about the Challenge from the ACME server.
+             */
+            url: string;
+        }
+
+        /**
+         * ACMEAuthorization contains data returned from the ACME server on an
+         * authorization that must be completed in order validate a DNS name on an ACME
+         * Order resource.
+         */
+        export interface OrderStatusAuthorizationsPatch {
+            /**
+             * Challenges specifies the challenge types offered by the ACME server.
+             * One of these challenge types will be selected when validating the DNS
+             * name and an appropriate Challenge resource will be created to perform
+             * the ACME challenge process.
+             */
+            challenges: outputs.acme.v1.OrderStatusAuthorizationsChallengesPatch[];
+            /**
+             * Identifier is the DNS name to be validated as part of this authorization
+             */
+            identifier: string;
+            /**
+             * InitialState is the initial state of the ACME authorization when first
+             * fetched from the ACME server.
+             * If an Authorization is already 'valid', the Order controller will not
+             * create a Challenge resource for the authorization. This will occur when
+             * working with an ACME server that enables 'authz reuse' (such as Let's
+             * Encrypt's production endpoint).
+             * If not set and 'identifier' is set, the state is assumed to be pending
+             * and a Challenge will be created.
+             */
+            initialState: string;
+            /**
+             * URL is the URL of the Authorization that must be completed
+             */
+            url: string;
+            /**
+             * Wildcard will be true if this authorization is for a wildcard DNS name.
+             * If this is true, the identifier will be the *non-wildcard* version of
+             * the DNS name.
+             * For example, if '*.example.com' is the DNS name being validated, this
+             * field will be 'true' and the 'identifier' field will be 'example.com'.
+             */
+            wildcard: boolean;
+        }
+
+        export interface OrderStatusPatch {
+            /**
+             * Authorizations contains data returned from the ACME server on what
+             * authorizations must be completed in order to validate the DNS names
+             * specified on the Order.
+             */
+            authorizations: outputs.acme.v1.OrderStatusAuthorizationsPatch[];
+            /**
+             * Certificate is a copy of the PEM encoded certificate for this Order.
+             * This field will be populated after the order has been successfully
+             * finalized with the ACME server, and the order has transitioned to the
+             * 'valid' state.
+             */
+            certificate: string;
+            /**
+             * FailureTime stores the time that this order failed.
+             * This is used to influence garbage collection and back-off.
+             */
+            failureTime: string;
+            /**
+             * FinalizeURL of the Order.
+             * This is used to obtain certificates for this order once it has been completed.
+             */
+            finalizeURL: string;
+            /**
+             * Reason optionally provides more information about a why the order is in
+             * the current state.
+             */
+            reason: string;
+            /**
+             * State contains the current state of this Order resource.
+             * States 'success' and 'expired' are 'final'
+             */
+            state: string;
+            /**
+             * URL of the Order.
+             * This will initially be empty when the resource is first created.
+             * The Order controller will populate this field when the Order is first processed.
+             * This field will be immutable after it is initially set.
+             */
+            url: string;
+        }
+
+    }
+}
+
+export namespace cert_manager {
+    export namespace v1 {
+        /**
+         * A Certificate resource should be created to ensure an up to date and signed
+         * X.509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+         *
+         * The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+         */
+        export interface Certificate {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Certificate";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.cert_manager.v1.CertificateSpec;
+            status: outputs.cert_manager.v1.CertificateStatus;
+        }
+
+        /**
+         * A CertificateRequest is used to request a signed certificate from one of the
+         * configured issuers.
+         *
+         * All fields within the CertificateRequest's `spec` are immutable after creation.
+         * A CertificateRequest will either succeed or fail, as denoted by its `Ready` status
+         * condition and its `status.failureTime` field.
+         *
+         * A CertificateRequest is a one-shot resource, meaning it represents a single
+         * point in time request for a certificate and cannot be re-used.
+         */
+        export interface CertificateRequest {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "CertificateRequest";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.cert_manager.v1.CertificateRequestSpec;
+            status: outputs.cert_manager.v1.CertificateRequestStatus;
+        }
+
+        /**
+         * Specification of the desired state of the CertificateRequest resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateRequestSpec {
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             */
+            duration: string;
+            /**
+             * Extra contains extra attributes of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            extra: {[key: string]: string[]};
+            /**
+             * Groups contains group membership of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            groups: string[];
+            /**
+             * Requested basic constraints isCA value. Note that the issuer may choose
+             * to ignore the requested isCA value, just like any other requested attribute.
+             *
+             * NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+             * it must have the same isCA value as specified here.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA: boolean;
+            issuerRef: outputs.cert_manager.v1.CertificateRequestSpecIssuerRef;
+            /**
+             * The PEM-encoded X.509 certificate signing request to be submitted to the
+             * issuer for signing.
+             *
+             * If the CSR has a BasicConstraints extension, its isCA attribute must
+             * match the `isCA` value of this CertificateRequest.
+             * If the CSR has a KeyUsage extension, its key usages must match the
+             * key usages in the `usages` field of this CertificateRequest.
+             * If the CSR has a ExtKeyUsage extension, its extended key usages
+             * must match the extended key usages in the `usages` field of this
+             * CertificateRequest.
+             */
+            request: string;
+            /**
+             * UID contains the uid of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            uid: string;
+            /**
+             * Requested key usages and extended key usages.
+             *
+             * NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+             * ExtKeyUsage extension, these extensions must have the same values
+             * as specified here without any additional values.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages: string[];
+            /**
+             * Username contains the name of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            username: string;
+        }
+
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        export interface CertificateRequestSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        export interface CertificateRequestSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+
+        /**
+         * Specification of the desired state of the CertificateRequest resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateRequestSpecPatch {
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             */
+            duration: string;
+            /**
+             * Extra contains extra attributes of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            extra: {[key: string]: string[]};
+            /**
+             * Groups contains group membership of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            groups: string[];
+            /**
+             * Requested basic constraints isCA value. Note that the issuer may choose
+             * to ignore the requested isCA value, just like any other requested attribute.
+             *
+             * NOTE: If the CSR in the `Request` field has a BasicConstraints extension,
+             * it must have the same isCA value as specified here.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA: boolean;
+            issuerRef: outputs.cert_manager.v1.CertificateRequestSpecIssuerRefPatch;
+            /**
+             * The PEM-encoded X.509 certificate signing request to be submitted to the
+             * issuer for signing.
+             *
+             * If the CSR has a BasicConstraints extension, its isCA attribute must
+             * match the `isCA` value of this CertificateRequest.
+             * If the CSR has a KeyUsage extension, its key usages must match the
+             * key usages in the `usages` field of this CertificateRequest.
+             * If the CSR has a ExtKeyUsage extension, its extended key usages
+             * must match the extended key usages in the `usages` field of this
+             * CertificateRequest.
+             */
+            request: string;
+            /**
+             * UID contains the uid of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            uid: string;
+            /**
+             * Requested key usages and extended key usages.
+             *
+             * NOTE: If the CSR in the `Request` field has uses the KeyUsage or
+             * ExtKeyUsage extension, these extensions must have the same values
+             * as specified here without any additional values.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages: string[];
+            /**
+             * Username contains the name of the user that created the CertificateRequest.
+             * Populated by the cert-manager webhook on creation and immutable.
+             */
+            username: string;
+        }
+
+        /**
+         * Status of the CertificateRequest.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateRequestStatus {
+            /**
+             * The PEM encoded X.509 certificate of the signer, also known as the CA
+             * (Certificate Authority).
+             * This is set on a best-effort basis by different issuers.
+             * If not set, the CA is assumed to be unknown/not available.
+             */
+            ca: string;
+            /**
+             * The PEM encoded X.509 certificate resulting from the certificate
+             * signing request.
+             * If not set, the CertificateRequest has either not been completed or has
+             * failed. More information on failure can be found by checking the
+             * `conditions` field.
+             */
+            certificate: string;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
+             */
+            conditions: outputs.cert_manager.v1.CertificateRequestStatusConditions[];
+            /**
+             * FailureTime stores the time that this CertificateRequest failed. This is
+             * used to influence garbage collection and back-off.
+             */
+            failureTime: string;
+        }
+
+        /**
+         * CertificateRequestCondition contains condition information for a CertificateRequest.
+         */
+        export interface CertificateRequestStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`, `InvalidRequest`,
+             * `Approved`, `Denied`).
+             */
+            type: string;
+        }
+
+        /**
+         * CertificateRequestCondition contains condition information for a CertificateRequest.
+         */
+        export interface CertificateRequestStatusConditionsPatch {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`, `InvalidRequest`,
+             * `Approved`, `Denied`).
+             */
+            type: string;
+        }
+
+        /**
+         * Status of the CertificateRequest.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateRequestStatusPatch {
+            /**
+             * The PEM encoded X.509 certificate of the signer, also known as the CA
+             * (Certificate Authority).
+             * This is set on a best-effort basis by different issuers.
+             * If not set, the CA is assumed to be unknown/not available.
+             */
+            ca: string;
+            /**
+             * The PEM encoded X.509 certificate resulting from the certificate
+             * signing request.
+             * If not set, the CertificateRequest has either not been completed or has
+             * failed. More information on failure can be found by checking the
+             * `conditions` field.
+             */
+            certificate: string;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`, `InvalidRequest`, `Approved` and `Denied`.
+             */
+            conditions: outputs.cert_manager.v1.CertificateRequestStatusConditionsPatch[];
+            /**
+             * FailureTime stores the time that this CertificateRequest failed. This is
+             * used to influence garbage collection and back-off.
+             */
+            failureTime: string;
+        }
+
+        /**
+         * Specification of the desired state of the Certificate resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateSpec {
+            /**
+             * Defines extra output formats of the private key and signed certificate chain
+             * to be written to this Certificate's target Secret.
+             */
+            additionalOutputFormats: outputs.cert_manager.v1.CertificateSpecAdditionalOutputFormats[];
+            /**
+             * Requested common name X509 certificate subject attribute.
+             * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+             * NOTE: TLS clients will ignore this value when any subject alternative name is
+             * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+             *
+             * Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+             * Cannot be set if the `literalSubject` field is set.
+             */
+            commonName: string;
+            /**
+             * Requested DNS subject alternative names.
+             */
+            dnsNames: string[];
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             *
+             * If unset, this defaults to 90 days.
+             * Minimum accepted duration is 1 hour.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             */
+            duration: string;
+            /**
+             * Requested email subject alternative names.
+             */
+            emailAddresses: string[];
+            /**
+             * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+             *
+             * This option defaults to true, and should only be disabled if the target
+             * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+             */
+            encodeUsagesInRequest: boolean;
+            /**
+             * Requested IP address subject alternative names.
+             */
+            ipAddresses: string[];
+            /**
+             * Requested basic constraints isCA value.
+             * The isCA value is used to set the `isCA` field on the created CertificateRequest
+             * resources. Note that the issuer may choose to ignore the requested isCA value, just
+             * like any other requested attribute.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA: boolean;
+            issuerRef: outputs.cert_manager.v1.CertificateSpecIssuerRef;
+            keystores: outputs.cert_manager.v1.CertificateSpecKeystores;
+            /**
+             * Requested X.509 certificate subject, represented using the LDAP "String
+             * Representation of a Distinguished Name" [1].
+             * Important: the LDAP string format also specifies the order of the attributes
+             * in the subject, this is important when issuing certs for LDAP authentication.
+             * Example: `CN=foo,DC=corp,DC=example,DC=com`
+             * More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+             * More info: https://github.com/cert-manager/cert-manager/issues/3203
+             * More info: https://github.com/cert-manager/cert-manager/issues/4424
+             *
+             * Cannot be set if the `subject` or `commonName` field is set.
+             */
+            literalSubject: string;
+            nameConstraints: outputs.cert_manager.v1.CertificateSpecNameConstraints;
+            /**
+             * `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+             * Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+             * Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+             * You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+             */
+            otherNames: outputs.cert_manager.v1.CertificateSpecOtherNames[];
+            privateKey: outputs.cert_manager.v1.CertificateSpecPrivateKey;
+            /**
+             * How long before the currently issued certificate's expiry cert-manager should
+             * renew the certificate. For example, if a certificate is valid for 60 minutes,
+             * and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+             * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+             * the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * If unset, this defaults to 1/3 of the issued certificate's lifetime.
+             * Minimum accepted value is 5 minutes.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             * Cannot be set if the `renewBeforePercentage` field is set.
+             */
+            renewBefore: string;
+            /**
+             * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+             * rather than an absolute duration. For example, if a certificate is valid for 60
+             * minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+             * renew the certificate 45 minutes after it was issued (i.e. when there are 15
+             * minutes (25%) remaining until the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * Value must be an integer in the range (0,100). The minimum effective
+             * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+             * minutes.
+             * Cannot be set if the `renewBefore` field is set.
+             */
+            renewBeforePercentage: number;
+            /**
+             * The maximum number of CertificateRequest revisions that are maintained in
+             * the Certificate's history. Each revision represents a single `CertificateRequest`
+             * created by this Certificate, either when it was created, renewed, or Spec
+             * was changed. Revisions will be removed by oldest first if the number of
+             * revisions exceeds this number.
+             *
+             * If set, revisionHistoryLimit must be a value of `1` or greater.
+             * Default value is `1`.
+             */
+            revisionHistoryLimit: number;
+            /**
+             * Name of the Secret resource that will be automatically created and
+             * managed by this Certificate resource. It will be populated with a
+             * private key and certificate, signed by the denoted issuer. The Secret
+             * resource lives in the same namespace as the Certificate resource.
+             */
+            secretName: string;
+            secretTemplate: outputs.cert_manager.v1.CertificateSpecSecretTemplate;
+            /**
+             * Signature algorithm to use.
+             * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+             * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+             * Allowed values for Ed25519 keys: PureEd25519.
+             */
+            signatureAlgorithm: string;
+            subject: outputs.cert_manager.v1.CertificateSpecSubject;
+            /**
+             * Requested URI subject alternative names.
+             */
+            uris: string[];
+            /**
+             * Requested key usages and extended key usages.
+             * These usages are used to set the `usages` field on the created CertificateRequest
+             * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+             * will additionally be encoded in the `request` field which contains the CSR blob.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages: string[];
+        }
+
+        /**
+         * CertificateAdditionalOutputFormat defines an additional output format of a
+         * Certificate resource. These contain supplementary data formats of the signed
+         * certificate chain and paired private key.
+         */
+        export interface CertificateSpecAdditionalOutputFormats {
+            /**
+             * Type is the name of the format type that should be written to the
+             * Certificate's target Secret.
+             */
+            type: string;
+        }
+
+        /**
+         * CertificateAdditionalOutputFormat defines an additional output format of a
+         * Certificate resource. These contain supplementary data formats of the signed
+         * certificate chain and paired private key.
+         */
+        export interface CertificateSpecAdditionalOutputFormatsPatch {
+            /**
+             * Type is the name of the format type that should be written to the
+             * Certificate's target Secret.
+             */
+            type: string;
+        }
+
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        export interface CertificateSpecIssuerRef {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to the issuer responsible for issuing the certificate.
+         * If the issuer is namespace-scoped, it must be in the same namespace
+         * as the Certificate. If the issuer is cluster-scoped, it can be used
+         * from any namespace.
+         *
+         * The `name` field of the reference must always be specified.
+         */
+        export interface CertificateSpecIssuerRefPatch {
+            /**
+             * Group of the issuer being referred to.
+             * Defaults to 'cert-manager.io'.
+             */
+            group: string;
+            /**
+             * Kind of the issuer being referred to.
+             * Defaults to 'Issuer'.
+             */
+            kind: string;
+            /**
+             * Name of the issuer being referred to.
+             */
+            name: string;
+        }
+
+        /**
+         * Additional keystore output formats to be stored in the Certificate's Secret.
+         */
+        export interface CertificateSpecKeystores {
+            jks: outputs.cert_manager.v1.CertificateSpecKeystoresJks;
+            pkcs12: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12;
+        }
+
+        /**
+         * JKS configures options for storing a JKS keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        export interface CertificateSpecKeystoresJks {
+            /**
+             * Alias specifies the alias of the key in the keystore, required by the JKS format.
+             * If not provided, the default alias `certificate` will be used.
+             */
+            alias: string;
+            /**
+             * Create enables JKS keystore creation for the Certificate.
+             * If true, a file named `keystore.jks` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.jks`
+             * will also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef`
+             * containing the issuing Certificate Authority
+             */
+            create: boolean;
+            /**
+             * Password provides a literal password used to encrypt the JKS keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password: string;
+            passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRef;
+        }
+
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the JKS keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        export interface CertificateSpecKeystoresJksPasswordSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the JKS keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        export interface CertificateSpecKeystoresJksPasswordSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * JKS configures options for storing a JKS keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        export interface CertificateSpecKeystoresJksPatch {
+            /**
+             * Alias specifies the alias of the key in the keystore, required by the JKS format.
+             * If not provided, the default alias `certificate` will be used.
+             */
+            alias: string;
+            /**
+             * Create enables JKS keystore creation for the Certificate.
+             * If true, a file named `keystore.jks` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.jks`
+             * will also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef`
+             * containing the issuing Certificate Authority
+             */
+            create: boolean;
+            /**
+             * Password provides a literal password used to encrypt the JKS keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password: string;
+            passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresJksPasswordSecretRefPatch;
+        }
+
+        /**
+         * Additional keystore output formats to be stored in the Certificate's Secret.
+         */
+        export interface CertificateSpecKeystoresPatch {
+            jks: outputs.cert_manager.v1.CertificateSpecKeystoresJksPatch;
+            pkcs12: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12Patch;
+        }
+
+        /**
+         * PKCS12 configures options for storing a PKCS12 keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        export interface CertificateSpecKeystoresPkcs12 {
+            /**
+             * Create enables PKCS12 keystore creation for the Certificate.
+             * If true, a file named `keystore.p12` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or in `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.p12` will
+             * also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef` containing the issuing Certificate
+             * Authority
+             */
+            create: boolean;
+            /**
+             * Password provides a literal password used to encrypt the PKCS#12 keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password: string;
+            passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRef;
+            /**
+             * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+             * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+             *
+             * If provided, allowed values are:
+             * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+             * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+             * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+             * (e.g., because of company policy). Please note that the security of the algorithm is not that important
+             * in reality, because the unencrypted certificate and private key are also stored in the Secret.
+             */
+            profile: string;
+        }
+
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the PKCS#12 keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        export interface CertificateSpecKeystoresPkcs12PasswordSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PasswordSecretRef is a reference to a non-empty key in a Secret resource
+         * containing the password used to encrypt the PKCS#12 keystore.
+         * Mutually exclusive with password.
+         * One of password or passwordSecretRef must provide a password with a non-zero length.
+         */
+        export interface CertificateSpecKeystoresPkcs12PasswordSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PKCS12 configures options for storing a PKCS12 keystore in the
+         * `spec.secretName` Secret resource.
+         */
+        export interface CertificateSpecKeystoresPkcs12Patch {
+            /**
+             * Create enables PKCS12 keystore creation for the Certificate.
+             * If true, a file named `keystore.p12` will be created in the target
+             * Secret resource, encrypted using the password stored in
+             * `passwordSecretRef` or in `password`.
+             * The keystore file will be updated immediately.
+             * If the issuer provided a CA certificate, a file named `truststore.p12` will
+             * also be created in the target Secret resource, encrypted using the
+             * password stored in `passwordSecretRef` containing the issuing Certificate
+             * Authority
+             */
+            create: boolean;
+            /**
+             * Password provides a literal password used to encrypt the PKCS#12 keystore.
+             * Mutually exclusive with passwordSecretRef.
+             * One of password or passwordSecretRef must provide a password with a non-zero length.
+             */
+            password: string;
+            passwordSecretRef: outputs.cert_manager.v1.CertificateSpecKeystoresPkcs12PasswordSecretRefPatch;
+            /**
+             * Profile specifies the key and certificate encryption algorithms and the HMAC algorithm
+             * used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
+             *
+             * If provided, allowed values are:
+             * `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+             * `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility.
+             * `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms
+             * (e.g., because of company policy). Please note that the security of the algorithm is not that important
+             * in reality, because the unencrypted certificate and private key are also stored in the Secret.
+             */
+            profile: string;
+        }
+
+        /**
+         * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+         * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+         *
+         * This is an Alpha Feature and is only enabled with the
+         * `--feature-gates=NameConstraints=true` option set on both
+         * the controller and webhook components.
+         */
+        export interface CertificateSpecNameConstraints {
+            /**
+             * if true then the name constraints are marked critical.
+             */
+            critical: boolean;
+            excluded: outputs.cert_manager.v1.CertificateSpecNameConstraintsExcluded;
+            permitted: outputs.cert_manager.v1.CertificateSpecNameConstraintsPermitted;
+        }
+
+        /**
+         * Excluded contains the constraints which must be disallowed. Any name matching a
+         * restriction in the excluded field is invalid regardless
+         * of information appearing in the permitted
+         */
+        export interface CertificateSpecNameConstraintsExcluded {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains: string[];
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses: string[];
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges: string[];
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains: string[];
+        }
+
+        /**
+         * Excluded contains the constraints which must be disallowed. Any name matching a
+         * restriction in the excluded field is invalid regardless
+         * of information appearing in the permitted
+         */
+        export interface CertificateSpecNameConstraintsExcludedPatch {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains: string[];
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses: string[];
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges: string[];
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains: string[];
+        }
+
+        /**
+         * x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
+         * More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+         *
+         * This is an Alpha Feature and is only enabled with the
+         * `--feature-gates=NameConstraints=true` option set on both
+         * the controller and webhook components.
+         */
+        export interface CertificateSpecNameConstraintsPatch {
+            /**
+             * if true then the name constraints are marked critical.
+             */
+            critical: boolean;
+            excluded: outputs.cert_manager.v1.CertificateSpecNameConstraintsExcludedPatch;
+            permitted: outputs.cert_manager.v1.CertificateSpecNameConstraintsPermittedPatch;
+        }
+
+        /**
+         * Permitted contains the constraints in which the names must be located.
+         */
+        export interface CertificateSpecNameConstraintsPermitted {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains: string[];
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses: string[];
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges: string[];
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains: string[];
+        }
+
+        /**
+         * Permitted contains the constraints in which the names must be located.
+         */
+        export interface CertificateSpecNameConstraintsPermittedPatch {
+            /**
+             * DNSDomains is a list of DNS domains that are permitted or excluded.
+             */
+            dnsDomains: string[];
+            /**
+             * EmailAddresses is a list of Email Addresses that are permitted or excluded.
+             */
+            emailAddresses: string[];
+            /**
+             * IPRanges is a list of IP Ranges that are permitted or excluded.
+             * This should be a valid CIDR notation.
+             */
+            ipRanges: string[];
+            /**
+             * URIDomains is a list of URI domains that are permitted or excluded.
+             */
+            uriDomains: string[];
+        }
+
+        export interface CertificateSpecOtherNames {
+            /**
+             * OID is the object identifier for the otherName SAN.
+             * The object identifier must be expressed as a dotted string, for
+             * example, "1.2.840.113556.1.4.221".
+             */
+            oid: string;
+            /**
+             * utf8Value is the string value of the otherName SAN.
+             * The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+             */
+            utf8Value: string;
+        }
+
+        export interface CertificateSpecOtherNamesPatch {
+            /**
+             * OID is the object identifier for the otherName SAN.
+             * The object identifier must be expressed as a dotted string, for
+             * example, "1.2.840.113556.1.4.221".
+             */
+            oid: string;
+            /**
+             * utf8Value is the string value of the otherName SAN.
+             * The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.
+             */
+            utf8Value: string;
+        }
+
+        /**
+         * Specification of the desired state of the Certificate resource.
+         * https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateSpecPatch {
+            /**
+             * Defines extra output formats of the private key and signed certificate chain
+             * to be written to this Certificate's target Secret.
+             */
+            additionalOutputFormats: outputs.cert_manager.v1.CertificateSpecAdditionalOutputFormatsPatch[];
+            /**
+             * Requested common name X509 certificate subject attribute.
+             * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+             * NOTE: TLS clients will ignore this value when any subject alternative name is
+             * set (see https://tools.ietf.org/html/rfc6125#section-6.4.4).
+             *
+             * Should have a length of 64 characters or fewer to avoid generating invalid CSRs.
+             * Cannot be set if the `literalSubject` field is set.
+             */
+            commonName: string;
+            /**
+             * Requested DNS subject alternative names.
+             */
+            dnsNames: string[];
+            /**
+             * Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
+             * issuer may choose to ignore the requested duration, just like any other
+             * requested attribute.
+             *
+             * If unset, this defaults to 90 days.
+             * Minimum accepted duration is 1 hour.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             */
+            duration: string;
+            /**
+             * Requested email subject alternative names.
+             */
+            emailAddresses: string[];
+            /**
+             * Whether the KeyUsage and ExtKeyUsage extensions should be set in the encoded CSR.
+             *
+             * This option defaults to true, and should only be disabled if the target
+             * issuer does not support CSRs with these X509 KeyUsage/ ExtKeyUsage extensions.
+             */
+            encodeUsagesInRequest: boolean;
+            /**
+             * Requested IP address subject alternative names.
+             */
+            ipAddresses: string[];
+            /**
+             * Requested basic constraints isCA value.
+             * The isCA value is used to set the `isCA` field on the created CertificateRequest
+             * resources. Note that the issuer may choose to ignore the requested isCA value, just
+             * like any other requested attribute.
+             *
+             * If true, this will automatically add the `cert sign` usage to the list
+             * of requested `usages`.
+             */
+            isCA: boolean;
+            issuerRef: outputs.cert_manager.v1.CertificateSpecIssuerRefPatch;
+            keystores: outputs.cert_manager.v1.CertificateSpecKeystoresPatch;
+            /**
+             * Requested X.509 certificate subject, represented using the LDAP "String
+             * Representation of a Distinguished Name" [1].
+             * Important: the LDAP string format also specifies the order of the attributes
+             * in the subject, this is important when issuing certs for LDAP authentication.
+             * Example: `CN=foo,DC=corp,DC=example,DC=com`
+             * More info [1]: https://datatracker.ietf.org/doc/html/rfc4514
+             * More info: https://github.com/cert-manager/cert-manager/issues/3203
+             * More info: https://github.com/cert-manager/cert-manager/issues/4424
+             *
+             * Cannot be set if the `subject` or `commonName` field is set.
+             */
+            literalSubject: string;
+            nameConstraints: outputs.cert_manager.v1.CertificateSpecNameConstraintsPatch;
+            /**
+             * `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37
+             * Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`.
+             * Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3
+             * You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.
+             */
+            otherNames: outputs.cert_manager.v1.CertificateSpecOtherNamesPatch[];
+            privateKey: outputs.cert_manager.v1.CertificateSpecPrivateKeyPatch;
+            /**
+             * How long before the currently issued certificate's expiry cert-manager should
+             * renew the certificate. For example, if a certificate is valid for 60 minutes,
+             * and `renewBefore=10m`, cert-manager will begin to attempt to renew the certificate
+             * 50 minutes after it was issued (i.e. when there are 10 minutes remaining until
+             * the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * If unset, this defaults to 1/3 of the issued certificate's lifetime.
+             * Minimum accepted value is 5 minutes.
+             * Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+             * Cannot be set if the `renewBeforePercentage` field is set.
+             */
+            renewBefore: string;
+            /**
+             * `renewBeforePercentage` is like `renewBefore`, except it is a relative percentage
+             * rather than an absolute duration. For example, if a certificate is valid for 60
+             * minutes, and  `renewBeforePercentage=25`, cert-manager will begin to attempt to
+             * renew the certificate 45 minutes after it was issued (i.e. when there are 15
+             * minutes (25%) remaining until the certificate is no longer valid).
+             *
+             * NOTE: The actual lifetime of the issued certificate is used to determine the
+             * renewal time. If an issuer returns a certificate with a different lifetime than
+             * the one requested, cert-manager will use the lifetime of the issued certificate.
+             *
+             * Value must be an integer in the range (0,100). The minimum effective
+             * `renewBefore` derived from the `renewBeforePercentage` and `duration` fields is 5
+             * minutes.
+             * Cannot be set if the `renewBefore` field is set.
+             */
+            renewBeforePercentage: number;
+            /**
+             * The maximum number of CertificateRequest revisions that are maintained in
+             * the Certificate's history. Each revision represents a single `CertificateRequest`
+             * created by this Certificate, either when it was created, renewed, or Spec
+             * was changed. Revisions will be removed by oldest first if the number of
+             * revisions exceeds this number.
+             *
+             * If set, revisionHistoryLimit must be a value of `1` or greater.
+             * Default value is `1`.
+             */
+            revisionHistoryLimit: number;
+            /**
+             * Name of the Secret resource that will be automatically created and
+             * managed by this Certificate resource. It will be populated with a
+             * private key and certificate, signed by the denoted issuer. The Secret
+             * resource lives in the same namespace as the Certificate resource.
+             */
+            secretName: string;
+            secretTemplate: outputs.cert_manager.v1.CertificateSpecSecretTemplatePatch;
+            /**
+             * Signature algorithm to use.
+             * Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA.
+             * Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512.
+             * Allowed values for Ed25519 keys: PureEd25519.
+             */
+            signatureAlgorithm: string;
+            subject: outputs.cert_manager.v1.CertificateSpecSubjectPatch;
+            /**
+             * Requested URI subject alternative names.
+             */
+            uris: string[];
+            /**
+             * Requested key usages and extended key usages.
+             * These usages are used to set the `usages` field on the created CertificateRequest
+             * resources. If `encodeUsagesInRequest` is unset or set to `true`, the usages
+             * will additionally be encoded in the `request` field which contains the CSR blob.
+             *
+             * If unset, defaults to `digital signature` and `key encipherment`.
+             */
+            usages: string[];
+        }
+
+        /**
+         * Private key options. These include the key algorithm and size, the used
+         * encoding and the rotation policy.
+         */
+        export interface CertificateSpecPrivateKey {
+            /**
+             * Algorithm is the private key algorithm of the corresponding private key
+             * for this certificate.
+             *
+             * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+             * If `algorithm` is specified and `size` is not provided,
+             * key size of 2048 will be used for `RSA` key algorithm and
+             * key size of 256 will be used for `ECDSA` key algorithm.
+             * key size is ignored when using the `Ed25519` key algorithm.
+             */
+            algorithm: string;
+            /**
+             * The private key cryptography standards (PKCS) encoding for this
+             * certificate's private key to be encoded in.
+             *
+             * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+             * and PKCS#8, respectively.
+             * Defaults to `PKCS1` if not specified.
+             */
+            encoding: string;
+            /**
+             * RotationPolicy controls how private keys should be regenerated when a
+             * re-issuance is being processed.
+             *
+             * If set to `Never`, a private key will only be generated if one does not
+             * already exist in the target `spec.secretName`. If one does exist but it
+             * does not have the correct algorithm or size, a warning will be raised
+             * to await user intervention.
+             * If set to `Always`, a private key matching the specified requirements
+             * will be generated whenever a re-issuance occurs.
+             * Default is `Always`.
+             * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+             * The new default can be disabled by setting the
+             * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+             * the controller component.
+             */
+            rotationPolicy: string;
+            /**
+             * Size is the key bit size of the corresponding private key for this certificate.
+             *
+             * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+             * and will default to `2048` if not specified.
+             * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+             * and will default to `256` if not specified.
+             * If `algorithm` is set to `Ed25519`, Size is ignored.
+             * No other values are allowed.
+             */
+            size: number;
+        }
+
+        /**
+         * Private key options. These include the key algorithm and size, the used
+         * encoding and the rotation policy.
+         */
+        export interface CertificateSpecPrivateKeyPatch {
+            /**
+             * Algorithm is the private key algorithm of the corresponding private key
+             * for this certificate.
+             *
+             * If provided, allowed values are either `RSA`, `ECDSA` or `Ed25519`.
+             * If `algorithm` is specified and `size` is not provided,
+             * key size of 2048 will be used for `RSA` key algorithm and
+             * key size of 256 will be used for `ECDSA` key algorithm.
+             * key size is ignored when using the `Ed25519` key algorithm.
+             */
+            algorithm: string;
+            /**
+             * The private key cryptography standards (PKCS) encoding for this
+             * certificate's private key to be encoded in.
+             *
+             * If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+             * and PKCS#8, respectively.
+             * Defaults to `PKCS1` if not specified.
+             */
+            encoding: string;
+            /**
+             * RotationPolicy controls how private keys should be regenerated when a
+             * re-issuance is being processed.
+             *
+             * If set to `Never`, a private key will only be generated if one does not
+             * already exist in the target `spec.secretName`. If one does exist but it
+             * does not have the correct algorithm or size, a warning will be raised
+             * to await user intervention.
+             * If set to `Always`, a private key matching the specified requirements
+             * will be generated whenever a re-issuance occurs.
+             * Default is `Always`.
+             * The default was changed from `Never` to `Always` in cert-manager >=v1.18.0.
+             * The new default can be disabled by setting the
+             * `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on
+             * the controller component.
+             */
+            rotationPolicy: string;
+            /**
+             * Size is the key bit size of the corresponding private key for this certificate.
+             *
+             * If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+             * and will default to `2048` if not specified.
+             * If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+             * and will default to `256` if not specified.
+             * If `algorithm` is set to `Ed25519`, Size is ignored.
+             * No other values are allowed.
+             */
+            size: number;
+        }
+
+        /**
+         * Defines annotations and labels to be copied to the Certificate's Secret.
+         * Labels and annotations on the Secret will be changed as they appear on the
+         * SecretTemplate when added or removed. SecretTemplate annotations are added
+         * in conjunction with, and cannot overwrite, the base set of annotations
+         * cert-manager sets on the Certificate's Secret.
+         */
+        export interface CertificateSpecSecretTemplate {
+            /**
+             * Annotations is a key value map to be copied to the target Kubernetes Secret.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels is a key value map to be copied to the target Kubernetes Secret.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Defines annotations and labels to be copied to the Certificate's Secret.
+         * Labels and annotations on the Secret will be changed as they appear on the
+         * SecretTemplate when added or removed. SecretTemplate annotations are added
+         * in conjunction with, and cannot overwrite, the base set of annotations
+         * cert-manager sets on the Certificate's Secret.
+         */
+        export interface CertificateSpecSecretTemplatePatch {
+            /**
+             * Annotations is a key value map to be copied to the target Kubernetes Secret.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels is a key value map to be copied to the target Kubernetes Secret.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Requested set of X509 certificate subject attributes.
+         * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+         *
+         * The common name attribute is specified separately in the `commonName` field.
+         * Cannot be set if the `literalSubject` field is set.
+         */
+        export interface CertificateSpecSubject {
+            /**
+             * Countries to be used on the Certificate.
+             */
+            countries: string[];
+            /**
+             * Cities to be used on the Certificate.
+             */
+            localities: string[];
+            /**
+             * Organizational Units to be used on the Certificate.
+             */
+            organizationalUnits: string[];
+            /**
+             * Organizations to be used on the Certificate.
+             */
+            organizations: string[];
+            /**
+             * Postal codes to be used on the Certificate.
+             */
+            postalCodes: string[];
+            /**
+             * State/Provinces to be used on the Certificate.
+             */
+            provinces: string[];
+            /**
+             * Serial number to be used on the Certificate.
+             */
+            serialNumber: string;
+            /**
+             * Street addresses to be used on the Certificate.
+             */
+            streetAddresses: string[];
+        }
+
+        /**
+         * Requested set of X509 certificate subject attributes.
+         * More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+         *
+         * The common name attribute is specified separately in the `commonName` field.
+         * Cannot be set if the `literalSubject` field is set.
+         */
+        export interface CertificateSpecSubjectPatch {
+            /**
+             * Countries to be used on the Certificate.
+             */
+            countries: string[];
+            /**
+             * Cities to be used on the Certificate.
+             */
+            localities: string[];
+            /**
+             * Organizational Units to be used on the Certificate.
+             */
+            organizationalUnits: string[];
+            /**
+             * Organizations to be used on the Certificate.
+             */
+            organizations: string[];
+            /**
+             * Postal codes to be used on the Certificate.
+             */
+            postalCodes: string[];
+            /**
+             * State/Provinces to be used on the Certificate.
+             */
+            provinces: string[];
+            /**
+             * Serial number to be used on the Certificate.
+             */
+            serialNumber: string;
+            /**
+             * Street addresses to be used on the Certificate.
+             */
+            streetAddresses: string[];
+        }
+
+        /**
+         * Status of the Certificate.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateStatus {
+            /**
+             * List of status conditions to indicate the status of certificates.
+             * Known condition types are `Ready` and `Issuing`.
+             */
+            conditions: outputs.cert_manager.v1.CertificateStatusConditions[];
+            /**
+             * The number of continuous failed issuance attempts up till now. This
+             * field gets removed (if set) on a successful issuance and gets set to
+             * 1 if unset and an issuance has failed. If an issuance has failed, the
+             * delay till the next issuance will be calculated using formula
+             * time.Hour * 2 ^ (failedIssuanceAttempts - 1).
+             */
+            failedIssuanceAttempts: number;
+            /**
+             * LastFailureTime is set only if the latest issuance for this
+             * Certificate failed and contains the time of the failure. If an
+             * issuance has failed, the delay till the next issuance will be
+             * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
+             * 1). If the latest issuance has succeeded this field will be unset.
+             */
+            lastFailureTime: string;
+            /**
+             * The name of the Secret resource containing the private key to be used
+             * for the next certificate iteration.
+             * The keymanager controller will automatically set this field if the
+             * `Issuing` condition is set to `True`.
+             * It will automatically unset this field when the Issuing condition is
+             * not set or False.
+             */
+            nextPrivateKeySecretName: string;
+            /**
+             * The expiration time of the certificate stored in the secret named
+             * by this resource in `spec.secretName`.
+             */
+            notAfter: string;
+            /**
+             * The time after which the certificate stored in the secret named
+             * by this resource in `spec.secretName` is valid.
+             */
+            notBefore: string;
+            /**
+             * RenewalTime is the time at which the certificate will be next
+             * renewed.
+             * If not set, no upcoming renewal is scheduled.
+             */
+            renewalTime: string;
+            /**
+             * The current 'revision' of the certificate as issued.
+             *
+             * When a CertificateRequest resource is created, it will have the
+             * `cert-manager.io/certificate-revision` set to one greater than the
+             * current value of this field.
+             *
+             * Upon issuance, this field will be set to the value of the annotation
+             * on the CertificateRequest resource used to issue the certificate.
+             *
+             * Persisting the value on the CertificateRequest resource allows the
+             * certificates controller to know whether a request is part of an old
+             * issuance or if it is part of the ongoing revision's issuance by
+             * checking if the revision value in the annotation is greater than this
+             * field.
+             */
+            revision: number;
+        }
+
+        /**
+         * CertificateCondition contains condition information for a Certificate.
+         */
+        export interface CertificateStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Certificate.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`, `Issuing`).
+             */
+            type: string;
+        }
+
+        /**
+         * CertificateCondition contains condition information for a Certificate.
+         */
+        export interface CertificateStatusConditionsPatch {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Certificate.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`, `Issuing`).
+             */
+            type: string;
+        }
+
+        /**
+         * Status of the Certificate.
+         * This is set and managed automatically.
+         * Read-only.
+         * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+         */
+        export interface CertificateStatusPatch {
+            /**
+             * List of status conditions to indicate the status of certificates.
+             * Known condition types are `Ready` and `Issuing`.
+             */
+            conditions: outputs.cert_manager.v1.CertificateStatusConditionsPatch[];
+            /**
+             * The number of continuous failed issuance attempts up till now. This
+             * field gets removed (if set) on a successful issuance and gets set to
+             * 1 if unset and an issuance has failed. If an issuance has failed, the
+             * delay till the next issuance will be calculated using formula
+             * time.Hour * 2 ^ (failedIssuanceAttempts - 1).
+             */
+            failedIssuanceAttempts: number;
+            /**
+             * LastFailureTime is set only if the latest issuance for this
+             * Certificate failed and contains the time of the failure. If an
+             * issuance has failed, the delay till the next issuance will be
+             * calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts -
+             * 1). If the latest issuance has succeeded this field will be unset.
+             */
+            lastFailureTime: string;
+            /**
+             * The name of the Secret resource containing the private key to be used
+             * for the next certificate iteration.
+             * The keymanager controller will automatically set this field if the
+             * `Issuing` condition is set to `True`.
+             * It will automatically unset this field when the Issuing condition is
+             * not set or False.
+             */
+            nextPrivateKeySecretName: string;
+            /**
+             * The expiration time of the certificate stored in the secret named
+             * by this resource in `spec.secretName`.
+             */
+            notAfter: string;
+            /**
+             * The time after which the certificate stored in the secret named
+             * by this resource in `spec.secretName` is valid.
+             */
+            notBefore: string;
+            /**
+             * RenewalTime is the time at which the certificate will be next
+             * renewed.
+             * If not set, no upcoming renewal is scheduled.
+             */
+            renewalTime: string;
+            /**
+             * The current 'revision' of the certificate as issued.
+             *
+             * When a CertificateRequest resource is created, it will have the
+             * `cert-manager.io/certificate-revision` set to one greater than the
+             * current value of this field.
+             *
+             * Upon issuance, this field will be set to the value of the annotation
+             * on the CertificateRequest resource used to issue the certificate.
+             *
+             * Persisting the value on the CertificateRequest resource allows the
+             * certificates controller to know whether a request is part of an old
+             * issuance or if it is part of the ongoing revision's issuance by
+             * checking if the revision value in the annotation is greater than this
+             * field.
+             */
+            revision: number;
+        }
+
+        /**
+         * A ClusterIssuer represents a certificate issuing authority which can be
+         * referenced as part of `issuerRef` fields.
+         * It is similar to an Issuer, however it is cluster-scoped and therefore can
+         * be referenced by resources that exist in *any* namespace, not just the same
+         * namespace as the referent.
+         */
+        export interface ClusterIssuer {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "ClusterIssuer";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpec;
+            status: outputs.cert_manager.v1.ClusterIssuerStatus;
+        }
+
+        /**
+         * Desired state of the ClusterIssuer resource.
+         */
+        export interface ClusterIssuerSpec {
+            acme: outputs.cert_manager.v1.ClusterIssuerSpecAcme;
+            ca: outputs.cert_manager.v1.ClusterIssuerSpecCa;
+            selfSigned: outputs.cert_manager.v1.ClusterIssuerSpecSelfSigned;
+            vault: outputs.cert_manager.v1.ClusterIssuerSpecVault;
+            venafi: outputs.cert_manager.v1.ClusterIssuerSpecVenafi;
+        }
+
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        export interface ClusterIssuerSpecAcme {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration: boolean;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email: string;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature: boolean;
+            externalAccountBinding: outputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBinding;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain: string;
+            privateKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRef;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server: string;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify: boolean;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolvers[];
+        }
+
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        export interface ClusterIssuerSpecAcmeExternalAccountBinding {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm: string;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID: string;
+            keySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRef;
+        }
+
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        export interface ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        export interface ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        export interface ClusterIssuerSpecAcmeExternalAccountBindingPatch {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm: string;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID: string;
+            keySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingKeySecretRefPatch;
+        }
+
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        export interface ClusterIssuerSpecAcmePatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration: boolean;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email: string;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature: boolean;
+            externalAccountBinding: outputs.cert_manager.v1.ClusterIssuerSpecAcmeExternalAccountBindingPatch;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain: string;
+            privateKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmePrivateKeySecretRefPatch;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server: string;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify: boolean;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversPatch[];
+        }
+
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        export interface ClusterIssuerSpecAcmePrivateKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        export interface ClusterIssuerSpecAcmePrivateKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        export interface ClusterIssuerSpecAcmeSolvers {
+            dns01: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01;
+            http01: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01;
+            selector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversSelector;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01 {
+            acmeDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNS;
+            akamai: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Akamai;
+            azureDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNS;
+            cloudDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNS;
+            cloudflare: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Cloudflare;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Digitalocean;
+            rfc2136: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136;
+            route53: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53;
+            webhook: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Webhook;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AcmeDNS {
+            accountSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef;
+            host: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AcmeDNSPatch {
+            accountSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch;
+            host: string;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Akamai {
+            accessTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef;
+            clientSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef;
+            clientTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef;
+            serviceConsumerDomain: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AkamaiPatch {
+            accessTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch;
+            clientSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch;
+            clientTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch;
+            serviceConsumerDomain: string;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Cloudflare {
+            apiKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef;
+            apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01CloudflarePatch {
+            apiKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch;
+            apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Digitalocean {
+            tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanPatch {
+            tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Patch {
+            acmeDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AcmeDNSPatch;
+            akamai: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AkamaiPatch;
+            azureDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01AzureDNSPatch;
+            cloudDNS: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudDNSPatch;
+            cloudflare: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01CloudflarePatch;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01DigitaloceanPatch;
+            rfc2136: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136Patch;
+            route53: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Patch;
+            webhook: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01WebhookPatch;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef;
+            auth: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53Auth;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53Auth {
+            kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetes;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetes {
+            serviceAccountRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch {
+            serviceAccountRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch {
+            kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch;
+            auth: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53AuthPatch;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {[key: string]: any};
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface ClusterIssuerSpecAcmeSolversDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {[key: string]: any};
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01 {
+            gatewayHTTPRoute: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute;
+            ingress: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01Ingress;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {[key: string]: string};
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs[];
+            podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {[key: string]: string};
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch[];
+            podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources;
+            securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch;
+            securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[];
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[];
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplate;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplate {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplate {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpec;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplatePatch {
+            metadata: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch;
+            spec: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpec {
+            affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources;
+            securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch {
+            affinity: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch;
+            securityContext: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch[];
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls[];
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface ClusterIssuerSpecAcmeSolversHttp01Patch {
+            gatewayHTTPRoute: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch;
+            ingress: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01IngressPatch;
+        }
+
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        export interface ClusterIssuerSpecAcmeSolversPatch {
+            dns01: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversDns01Patch;
+            http01: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversHttp01Patch;
+            selector: outputs.cert_manager.v1.ClusterIssuerSpecAcmeSolversSelectorPatch;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface ClusterIssuerSpecAcmeSolversSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface ClusterIssuerSpecAcmeSolversSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        export interface ClusterIssuerSpecCa {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints: string[];
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs: string[];
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers: string[];
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName: string;
+        }
+
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        export interface ClusterIssuerSpecCaPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints: string[];
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs: string[];
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers: string[];
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName: string;
+        }
+
+        /**
+         * Desired state of the ClusterIssuer resource.
+         */
+        export interface ClusterIssuerSpecPatch {
+            acme: outputs.cert_manager.v1.ClusterIssuerSpecAcmePatch;
+            ca: outputs.cert_manager.v1.ClusterIssuerSpecCaPatch;
+            selfSigned: outputs.cert_manager.v1.ClusterIssuerSpecSelfSignedPatch;
+            vault: outputs.cert_manager.v1.ClusterIssuerSpecVaultPatch;
+            venafi: outputs.cert_manager.v1.ClusterIssuerSpecVenafiPatch;
+        }
+
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        export interface ClusterIssuerSpecSelfSigned {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints: string[];
+        }
+
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        export interface ClusterIssuerSpecSelfSignedPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints: string[];
+        }
+
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        export interface ClusterIssuerSpecVault {
+            auth: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuth;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultCaBundleSecretRef;
+            clientCertSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultClientCertSecretRef;
+            clientKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultClientKeySecretRef;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace: string;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path: string;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server: string;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        export interface ClusterIssuerSpecVaultAuth {
+            appRole: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRole;
+            clientCertificate: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificate;
+            kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetes;
+            tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRef;
+        }
+
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        export interface ClusterIssuerSpecVaultAuthAppRole {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path: string;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId: string;
+            secretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRoleSecretRef;
+        }
+
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        export interface ClusterIssuerSpecVaultAuthAppRolePatch {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path: string;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId: string;
+            secretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRoleSecretRefPatch;
+        }
+
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        export interface ClusterIssuerSpecVaultAuthAppRoleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        export interface ClusterIssuerSpecVaultAuthAppRoleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        export interface ClusterIssuerSpecVaultAuthClientCertificate {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath: string;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name: string;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName: string;
+        }
+
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        export interface ClusterIssuerSpecVaultAuthClientCertificatePatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath: string;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name: string;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName: string;
+        }
+
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetes {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath: string;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role: string;
+            secretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesSecretRef;
+            serviceAccountRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesServiceAccountRef;
+        }
+
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesPatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath: string;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role: string;
+            secretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesSecretRefPatch;
+            serviceAccountRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesServiceAccountRefPatch;
+        }
+
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        export interface ClusterIssuerSpecVaultAuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        export interface ClusterIssuerSpecVaultAuthPatch {
+            appRole: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthAppRolePatch;
+            clientCertificate: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthClientCertificatePatch;
+            kubernetes: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthKubernetesPatch;
+            tokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthTokenSecretRefPatch;
+        }
+
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        export interface ClusterIssuerSpecVaultAuthTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        export interface ClusterIssuerSpecVaultAuthTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        export interface ClusterIssuerSpecVaultCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        export interface ClusterIssuerSpecVaultCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        export interface ClusterIssuerSpecVaultClientCertSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        export interface ClusterIssuerSpecVaultClientCertSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        export interface ClusterIssuerSpecVaultClientKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        export interface ClusterIssuerSpecVaultClientKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        export interface ClusterIssuerSpecVaultPatch {
+            auth: outputs.cert_manager.v1.ClusterIssuerSpecVaultAuthPatch;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultCaBundleSecretRefPatch;
+            clientCertSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultClientCertSecretRefPatch;
+            clientKeySecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVaultClientKeySecretRefPatch;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace: string;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path: string;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server: string;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName: string;
+        }
+
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        export interface ClusterIssuerSpecVenafi {
+            cloud: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloud;
+            tpp: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTpp;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone: string;
+        }
+
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface ClusterIssuerSpecVenafiCloud {
+            apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRef;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url: string;
+        }
+
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        export interface ClusterIssuerSpecVenafiCloudApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        export interface ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface ClusterIssuerSpecVenafiCloudPatch {
+            apiTokenSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudApiTokenSecretRefPatch;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url: string;
+        }
+
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        export interface ClusterIssuerSpecVenafiPatch {
+            cloud: outputs.cert_manager.v1.ClusterIssuerSpecVenafiCloudPatch;
+            tpp: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppPatch;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone: string;
+        }
+
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface ClusterIssuerSpecVenafiTpp {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRef;
+            credentialsRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRef;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url: string;
+        }
+
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        export interface ClusterIssuerSpecVenafiTppCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        export interface ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        export interface ClusterIssuerSpecVenafiTppCredentialsRef {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        export interface ClusterIssuerSpecVenafiTppCredentialsRefPatch {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface ClusterIssuerSpecVenafiTppPatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCaBundleSecretRefPatch;
+            credentialsRef: outputs.cert_manager.v1.ClusterIssuerSpecVenafiTppCredentialsRefPatch;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url: string;
+        }
+
+        /**
+         * Status of the ClusterIssuer. This is set and managed automatically.
+         */
+        export interface ClusterIssuerStatus {
+            acme: outputs.cert_manager.v1.ClusterIssuerStatusAcme;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions: outputs.cert_manager.v1.ClusterIssuerStatusConditions[];
+        }
+
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        export interface ClusterIssuerStatusAcme {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash: string;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail: string;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri: string;
+        }
+
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        export interface ClusterIssuerStatusAcmePatch {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash: string;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail: string;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri: string;
+        }
+
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        export interface ClusterIssuerStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type: string;
+        }
+
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        export interface ClusterIssuerStatusConditionsPatch {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type: string;
+        }
+
+        /**
+         * Status of the ClusterIssuer. This is set and managed automatically.
+         */
+        export interface ClusterIssuerStatusPatch {
+            acme: outputs.cert_manager.v1.ClusterIssuerStatusAcmePatch;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions: outputs.cert_manager.v1.ClusterIssuerStatusConditionsPatch[];
+        }
+
+        /**
+         * An Issuer represents a certificate issuing authority which can be
+         * referenced as part of `issuerRef` fields.
+         * It is scoped to a single namespace and can therefore only be referenced by
+         * resources within the same namespace.
+         */
+        export interface Issuer {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "cert-manager.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Issuer";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.cert_manager.v1.IssuerSpec;
+            status: outputs.cert_manager.v1.IssuerStatus;
+        }
+
+        /**
+         * Desired state of the Issuer resource.
+         */
+        export interface IssuerSpec {
+            acme: outputs.cert_manager.v1.IssuerSpecAcme;
+            ca: outputs.cert_manager.v1.IssuerSpecCa;
+            selfSigned: outputs.cert_manager.v1.IssuerSpecSelfSigned;
+            vault: outputs.cert_manager.v1.IssuerSpecVault;
+            venafi: outputs.cert_manager.v1.IssuerSpecVenafi;
+        }
+
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        export interface IssuerSpecAcme {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration: boolean;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email: string;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature: boolean;
+            externalAccountBinding: outputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBinding;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain: string;
+            privateKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRef;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server: string;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify: boolean;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers: outputs.cert_manager.v1.IssuerSpecAcmeSolvers[];
+        }
+
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        export interface IssuerSpecAcmeExternalAccountBinding {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm: string;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID: string;
+            keySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingKeySecretRef;
+        }
+
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        export interface IssuerSpecAcmeExternalAccountBindingKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+         * Secret which holds the symmetric MAC key of the External Account Binding.
+         * The `key` is the index string that is paired with the key data in the
+         * Secret and should not be confused with the key data itself, or indeed with
+         * the External Account Binding keyID above.
+         * The secret key stored in the Secret **must** be un-padded, base64 URL
+         * encoded data.
+         */
+        export interface IssuerSpecAcmeExternalAccountBindingKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * ExternalAccountBinding is a reference to a CA external account of the ACME
+         * server.
+         * If set, upon registration cert-manager will attempt to associate the given
+         * external account credentials with the registered ACME account.
+         */
+        export interface IssuerSpecAcmeExternalAccountBindingPatch {
+            /**
+             * Deprecated: keyAlgorithm field exists for historical compatibility
+             * reasons and should not be used. The algorithm is now hardcoded to HS256
+             * in golang/x/crypto/acme.
+             */
+            keyAlgorithm: string;
+            /**
+             * keyID is the ID of the CA key that the External Account is bound to.
+             */
+            keyID: string;
+            keySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingKeySecretRefPatch;
+        }
+
+        /**
+         * ACME configures this issuer to communicate with a RFC8555 (ACME) server
+         * to obtain signed x509 certificates.
+         */
+        export interface IssuerSpecAcmePatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which can be used to validate the certificate
+             * chain presented by the ACME server.
+             * Mutually exclusive with SkipTLSVerify; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            /**
+             * Enables or disables generating a new ACME account key.
+             * If true, the Issuer resource will *not* request a new account but will expect
+             * the account key to be supplied via an existing secret.
+             * If false, the cert-manager system will generate a new ACME account key
+             * for the Issuer.
+             * Defaults to false.
+             */
+            disableAccountKeyGeneration: boolean;
+            /**
+             * Email is the email address to be associated with the ACME account.
+             * This field is optional, but it is strongly recommended to be set.
+             * It will be used to contact you in case of issues with your account or
+             * certificates, including expiry notification emails.
+             * This field may be updated after the account is initially registered.
+             */
+            email: string;
+            /**
+             * Enables requesting a Not After date on certificates that matches the
+             * duration of the certificate. This is not supported by all ACME servers
+             * like Let's Encrypt. If set to true when the ACME server does not support
+             * it, it will create an error on the Order.
+             * Defaults to false.
+             */
+            enableDurationFeature: boolean;
+            externalAccountBinding: outputs.cert_manager.v1.IssuerSpecAcmeExternalAccountBindingPatch;
+            /**
+             * PreferredChain is the chain to use if the ACME server outputs multiple.
+             * PreferredChain is no guarantee that this one gets delivered by the ACME
+             * endpoint.
+             * For example, for Let's Encrypt's DST cross-sign you would use:
+             * "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+             * This value picks the first certificate bundle in the combined set of
+             * ACME default and alternative chains that has a root-most certificate with
+             * this value as its issuer's commonname.
+             */
+            preferredChain: string;
+            privateKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmePrivateKeySecretRefPatch;
+            /**
+             * Profile allows requesting a certificate profile from the ACME server.
+             * Supported profiles are listed by the server's ACME directory URL.
+             */
+            profile: string;
+            /**
+             * Server is the URL used to access the ACME server's 'directory' endpoint.
+             * For example, for Let's Encrypt's staging endpoint, you would use:
+             * "https://acme-staging-v02.api.letsencrypt.org/directory".
+             * Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+             */
+            server: string;
+            /**
+             * INSECURE: Enables or disables validation of the ACME server TLS certificate.
+             * If true, requests to the ACME server will not have the TLS certificate chain
+             * validated.
+             * Mutually exclusive with CABundle; prefer using CABundle to prevent various
+             * kinds of security vulnerabilities.
+             * Only enable this option in development environments.
+             * If CABundle and SkipTLSVerify are unset, the system certificate bundle inside
+             * the container is used to validate the TLS connection.
+             * Defaults to false.
+             */
+            skipTLSVerify: boolean;
+            /**
+             * Solvers is a list of challenge solvers that will be used to solve
+             * ACME challenges for the matching domains.
+             * Solver configurations must be provided in order to obtain certificates
+             * from an ACME server.
+             * For more information, see: https://cert-manager.io/docs/configuration/acme/
+             */
+            solvers: outputs.cert_manager.v1.IssuerSpecAcmeSolversPatch[];
+        }
+
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        export interface IssuerSpecAcmePrivateKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PrivateKey is the name of a Kubernetes Secret resource that will be used to
+         * store the automatically generated ACME account private key.
+         * Optionally, a `key` may be specified to select a specific entry within
+         * the named Secret resource.
+         * If `key` is not specified, a default of `tls.key` will be used.
+         */
+        export interface IssuerSpecAcmePrivateKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        export interface IssuerSpecAcmeSolvers {
+            dns01: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01;
+            http01: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01;
+            selector: outputs.cert_manager.v1.IssuerSpecAcmeSolversSelector;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface IssuerSpecAcmeSolversDns01 {
+            acmeDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNS;
+            akamai: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Akamai;
+            azureDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNS;
+            cloudDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNS;
+            cloudflare: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Cloudflare;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Digitalocean;
+            rfc2136: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136;
+            route53: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53;
+            webhook: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Webhook;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AcmeDNS {
+            accountSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef;
+            host: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+         * DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AcmeDNSPatch {
+            accountSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSAccountSecretRefPatch;
+            host: string;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Akamai {
+            accessTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef;
+            clientSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef;
+            clientTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef;
+            serviceConsumerDomain: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Akamai DNS zone management API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AkamaiPatch {
+            accessTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiAccessTokenSecretRefPatch;
+            clientSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientSecretSecretRefPatch;
+            clientTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiClientTokenSecretRefPatch;
+            serviceConsumerDomain: string;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNS {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth: Azure Service Principal:
+         * A reference to a Secret containing the password associated with the Service Principal.
+         * If set, ClientID and TenantID must also be set.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentity {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Auth: Azure Workload Identity or Azure Managed Service Identity:
+         * Settings to enable Azure Workload Identity or Azure Managed Service Identity
+         * If set, ClientID, ClientSecret and TenantID must not be set.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch {
+            /**
+             * client ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            clientID: string;
+            /**
+             * resource ID of the managed identity, cannot be used at the same time as clientID
+             * Cannot be used for Azure Managed Service Identity
+             */
+            resourceID: string;
+            /**
+             * tenant ID of the managed identity, cannot be used at the same time as resourceID
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01AzureDNSPatch {
+            /**
+             * Auth: Azure Service Principal:
+             * The ClientID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientSecret and TenantID must also be set.
+             */
+            clientID: string;
+            clientSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSClientSecretSecretRefPatch;
+            /**
+             * name of the Azure environment (default AzurePublicCloud)
+             */
+            environment: string;
+            /**
+             * name of the DNS zone that should be used
+             */
+            hostedZoneName: string;
+            managedIdentity: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSManagedIdentityPatch;
+            /**
+             * resource group the DNS zone is located in
+             */
+            resourceGroupName: string;
+            /**
+             * ID of the Azure subscription
+             */
+            subscriptionID: string;
+            /**
+             * Auth: Azure Service Principal:
+             * The TenantID of the Azure Service Principal used to authenticate with Azure DNS.
+             * If set, ClientID and ClientSecret must also be set.
+             */
+            tenantID: string;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudDNS {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef;
+        }
+
+        /**
+         * Use the Google Cloud DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudDNSPatch {
+            /**
+             * HostedZoneName is an optional field that tells cert-manager in which
+             * Cloud DNS zone the challenge record has to be created.
+             * If left empty cert-manager will automatically choose a zone.
+             */
+            hostedZoneName: string;
+            project: string;
+            serviceAccountSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudDNSServiceAccountSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Cloudflare {
+            apiKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef;
+            apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API key to use to authenticate with Cloudflare.
+         * Note: using an API token to authenticate is now the recommended method
+         * as it allows greater control of permissions.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * API token used to authenticate with Cloudflare.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the Cloudflare API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01CloudflarePatch {
+            apiKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiKeySecretRefPatch;
+            apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflareApiTokenSecretRefPatch;
+            /**
+             * Email of the account, only required when using API key based authentication.
+             */
+            email: string;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Digitalocean {
+            tokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef;
+        }
+
+        /**
+         * Use the DigitalOcean DNS API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01DigitaloceanPatch {
+            tokenSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a specific 'key' within a Secret resource.
+         * In some instances, `key` is a required field.
+         */
+        export interface IssuerSpecAcmeSolversDns01DigitaloceanTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the DNS01 challenge flow.
+         */
+        export interface IssuerSpecAcmeSolversDns01Patch {
+            acmeDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AcmeDNSPatch;
+            akamai: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AkamaiPatch;
+            azureDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01AzureDNSPatch;
+            cloudDNS: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudDNSPatch;
+            cloudflare: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01CloudflarePatch;
+            /**
+             * CNAMEStrategy configures how the DNS01 provider should handle CNAME
+             * records when found in DNS zones.
+             */
+            cnameStrategy: string;
+            digitalocean: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01DigitaloceanPatch;
+            rfc2136: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136Patch;
+            route53: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Patch;
+            webhook: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01WebhookPatch;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Rfc2136 {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef;
+        }
+
+        /**
+         * Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+         * to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Rfc2136Patch {
+            /**
+             * The IP address or hostname of an authoritative DNS server supporting
+             * RFC2136 in the form host:port. If the host is an IPv6 address it must be
+             * enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+             * This field is required.
+             */
+            nameserver: string;
+            /**
+             * Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).
+             */
+            protocol: string;
+            /**
+             * The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+             * when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+             * Supported values are (case-insensitive): ``HMACMD5`` (default),
+             * ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+             */
+            tsigAlgorithm: string;
+            /**
+             * The TSIG Key name configured in the DNS.
+             * If ``tsigSecretSecretRef`` is defined, this field is required.
+             */
+            tsigKeyName: string;
+            tsigSecretSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The name of the secret containing the TSIG value.
+         * If ``tsigKeyName`` is defined, this field is required.
+         */
+        export interface IssuerSpecAcmeSolversDns01Rfc2136TsigSecretSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53 {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef;
+            auth: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53Auth;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication. If set, pull the AWS
+         * access key ID from a key within a Kubernetes Secret.
+         * Cannot be set when AccessKeyID is set.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53Auth {
+            kubernetes: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetes;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthKubernetes {
+            serviceAccountRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef;
+        }
+
+        /**
+         * Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity
+         * by passing a bound ServiceAccount token.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch {
+            serviceAccountRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). To use this field, you must
+         * configure an RBAC rule to let cert-manager request a token.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of audiences to include in the
+             * token passed to AWS. The default token consisting of the issuer's namespace
+             * and name is always included.
+             * If unset the audience defaults to `sts.amazonaws.com`.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53AuthPatch {
+            kubernetes: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthKubernetesPatch;
+        }
+
+        /**
+         * Use the AWS Route53 API to manage DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53Patch {
+            /**
+             * The AccessKeyID is used for authentication.
+             * Cannot be set when SecretAccessKeyID is set.
+             * If neither the Access Key nor Key ID are set, we fall-back to using env
+             * vars, shared credentials file or AWS Instance metadata,
+             * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+             */
+            accessKeyID: string;
+            accessKeyIDSecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AccessKeyIDSecretRefPatch;
+            auth: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53AuthPatch;
+            /**
+             * If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
+             */
+            hostedZoneID: string;
+            /**
+             * Override the AWS region.
+             *
+             * Route53 is a global service and does not have regional endpoints but the
+             * region specified here (or via environment variables) is used as a hint to
+             * help compute the correct AWS credential scope and partition when it
+             * connects to Route53. See:
+             * - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html)
+             * - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html)
+             *
+             * If you omit this region field, cert-manager will use the region from
+             * AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set
+             * in the cert-manager controller Pod.
+             *
+             * The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook).
+             * In this case this `region` field value is ignored.
+             *
+             * The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html).
+             * Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by:
+             * [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent),
+             * In this case this `region` field value is ignored.
+             */
+            region: string;
+            /**
+             * Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+             * or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+             */
+            role: string;
+            secretAccessKeySecretRef: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The SecretAccessKey is used for authentication.
+         * If neither the Access Key nor Key ID are set, we fall-back to using env
+         * vars, shared credentials file or AWS Instance metadata,
+         * see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+         */
+        export interface IssuerSpecAcmeSolversDns01Route53SecretAccessKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01Webhook {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {[key: string]: any};
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+
+        /**
+         * Configure an external webhook based DNS01 challenge solver to manage
+         * DNS01 challenge records.
+         */
+        export interface IssuerSpecAcmeSolversDns01WebhookPatch {
+            /**
+             * Additional configuration that should be passed to the webhook apiserver
+             * when challenges are processed.
+             * This can contain arbitrary JSON data.
+             * Secret values should not be specified in this stanza.
+             * If secret values are needed (e.g., credentials for a DNS service), you
+             * should use a SecretKeySelector to reference a Secret resource.
+             * For details on the schema of this field, consult the webhook provider
+             * implementation's documentation.
+             */
+            config: {[key: string]: any};
+            /**
+             * The API group name that should be used when POSTing ChallengePayload
+             * resources to the webhook apiserver.
+             * This should be the same as the GroupName specified in the webhook
+             * provider implementation.
+             */
+            groupName: string;
+            /**
+             * The name of the solver to use, as defined in the webhook provider
+             * implementation.
+             * This will typically be the name of the provider, e.g., 'cloudflare'.
+             */
+            solverName: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface IssuerSpecAcmeSolversHttp01 {
+            gatewayHTTPRoute: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoute;
+            ingress: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01Ingress;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoute {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {[key: string]: string};
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs[];
+            podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             * <gateway:experimental:description>
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             * </gateway:experimental:description>
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             * <gateway:experimental:description>
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             * </gateway:experimental:description>
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * The Gateway API is a sig-network community API that models service networking
+         * in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+         * create HTTPRoutes with the specified labels in the same namespace as the challenge.
+         * This solver is experimental, and fields / behaviour may change in the future.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch {
+            /**
+             * Custom labels that will be applied to HTTPRoutes created by cert-manager
+             * while solving HTTP-01 challenges.
+             */
+            labels: {[key: string]: string};
+            /**
+             * When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute.
+             * cert-manager needs to know which parentRefs should be used when creating
+             * the HTTPRoute. Usually, the parentRef references a Gateway. See:
+             * https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways
+             */
+            parentRefs: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRouteParentRefsPatch[];
+            podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplate {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata;
+            spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplatePatch {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateMetadataPatch;
+            spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpec {
+            affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources;
+            securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinity {
+            nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecPatch {
+            affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch;
+            securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch[];
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls[];
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface IssuerSpecAcmeSolversHttp01Ingress {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplate;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplate;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressIngressTemplate {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata;
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver ingress.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver ingress.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional ingress template used to configure the ACME challenge solver
+         * ingress used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplateMetadataPatch;
+        }
+
+        /**
+         * The ingress based HTTP01 challenge solver will solve challenges by
+         * creating or modifying Ingress resources in order to route requests for
+         * '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+         * provisioned by cert-manager for each Challenge to be completed.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPatch {
+            /**
+             * This field configures the annotation `kubernetes.io/ingress.class` when
+             * creating Ingress resources to solve ACME challenges that use this
+             * challenge solver. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            class: string;
+            /**
+             * This field configures the field `ingressClassName` on the created Ingress
+             * resources used to solve ACME challenges that use this challenge solver.
+             * This is the recommended way of configuring the ingress class. Only one of
+             * `class`, `name` or `ingressClassName` may be specified.
+             */
+            ingressClassName: string;
+            ingressTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressIngressTemplatePatch;
+            /**
+             * The name of the ingress resource that should have ACME challenge solving
+             * routes inserted into it in order to solve HTTP01 challenges.
+             * This is typically used in conjunction with ingress controllers like
+             * ingress-gce, which maintains a 1:1 mapping between external IPs and
+             * ingress resources. Only one of `class`, `name` or `ingressClassName` may
+             * be specified.
+             */
+            name: string;
+            podTemplate: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplatePatch;
+            /**
+             * Optional service type for Kubernetes solver service. Supported values
+             * are NodePort or ClusterIP. If unset, defaults to NodePort.
+             */
+            serviceType: string;
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplate {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata;
+            spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpec;
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadata {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+         * Only the 'labels' and 'annotations' fields may be set.
+         * If labels or annotations overlap with in-built values, the values here
+         * will override the in-built values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch {
+            /**
+             * Annotations that should be added to the created ACME HTTP01 solver pods.
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that should be added to the created ACME HTTP01 solver pods.
+             */
+            labels: {[key: string]: string};
+        }
+
+        /**
+         * Optional pod template used to configure the ACME challenge solver pods
+         * used for HTTP01 challenges.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplatePatch {
+            metadata: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateMetadataPatch;
+            spec: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpec {
+            affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources;
+            securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinity {
+            nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity;
+            podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity;
+            podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution;
+        }
+
+        /**
+         * Describes node affinity scheduling rules for the pod.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node matches the corresponding matchExpressions; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * An empty preferred scheduling term matches all objects with implicit weight 0
+         * (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            preference: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch;
+            /**
+             * Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreference {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferencePatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPreferredDuringSchedulingIgnoredDuringExecutionPreferenceMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTerms {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressions {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFields {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A node selector requirement is a selector that contains values, a key, and an operator
+         * that relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch {
+            /**
+             * The label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * Represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+             */
+            operator: string;
+            /**
+             * An array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. If the operator is Gt or Lt, the values
+             * array must have a single element, which will be interpreted as an integer.
+             * This array is replaced during a strategic merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A null or empty node selector term matches no objects. The requirements of
+         * them are ANDed.
+         * The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch {
+            /**
+             * A list of node selector requirements by node's labels.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchExpressionsPatch[];
+            /**
+             * A list of node selector requirements by node's fields.
+             */
+            matchFields: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsMatchFieldsPatch[];
+        }
+
+        /**
+         * If the affinity requirements specified by this field are not met at
+         * scheduling time, the pod will not be scheduled onto the node.
+         * If the affinity requirements specified by this field cease to be met
+         * at some point during pod execution (e.g. due to an update), the system
+         * may or may not try to eventually evict the pod from its node.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            /**
+             * Required. A list of node selector terms. The terms are ORed.
+             */
+            nodeSelectorTerms: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityRequiredDuringSchedulingIgnoredDuringExecutionNodeSelectorTermsPatch[];
+        }
+
+        /**
+         * If specified, the pod's scheduling constraints
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch {
+            nodeAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityNodeAffinityPatch;
+            podAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch;
+            podAntiAffinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch;
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and adding
+             * "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinity {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution[];
+        }
+
+        /**
+         * Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPatch {
+            /**
+             * The scheduler will prefer to schedule pods to nodes that satisfy
+             * the anti-affinity expressions specified by this field, but it may choose
+             * a node that violates one or more of the expressions. The node that is
+             * most preferred is the one with the greatest sum of weights, i.e.
+             * for each node that meets all of the scheduling requirements (resource
+             * request, requiredDuringScheduling anti-affinity expressions, etc.),
+             * compute a sum by iterating through the elements of this field and subtracting
+             * "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+             * node(s) with the highest sum are the most preferred.
+             */
+            preferredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch[];
+            /**
+             * If the anti-affinity requirements specified by this field are not met at
+             * scheduling time, the pod will not be scheduled onto the node.
+             * If the anti-affinity requirements specified by this field cease to be met
+             * at some point during pod execution (e.g. due to a pod label update), the
+             * system may or may not try to eventually evict the pod from its node.
+             * When there are multiple elements, the lists of nodes corresponding to each
+             * podAffinityTerm are intersected, i.e. all terms must be satisfied.
+             */
+            requiredDuringSchedulingIgnoredDuringExecution: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch[];
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecution {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPatch {
+            podAffinityTerm: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch;
+            /**
+             * weight associated with matching the corresponding podAffinityTerm,
+             * in the range 1-100.
+             */
+            weight: number;
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Required. A pod affinity term, associated with the corresponding weight.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityPreferredDuringSchedulingIgnoredDuringExecutionPodAffinityTermNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecution {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over a set of resources, in this case pods.
+         * If it's null, this PodAffinityTerm matches with no Pods.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label query over the set of namespaces that the term applies to.
+         * The term is applied to the union of the namespaces selected by this field
+         * and the ones listed in the namespaces field.
+         * null selector and null or empty namespaces list means "this pod's namespace".
+         * An empty selector ({}) matches all namespaces.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Defines a set of pods (namely those matching the labelSelector
+         * relative to the given namespace(s)) that this pod should be
+         * co-located (affinity) or not co-located (anti-affinity) with,
+         * where co-located is defined as running on a node whose value of
+         * the label with key <topologyKey> matches that of any node on which
+         * a pod of the set of pods is running
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionPatch {
+            labelSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionLabelSelectorPatch;
+            /**
+             * MatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+             * Also, matchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            matchLabelKeys: string[];
+            /**
+             * MismatchLabelKeys is a set of pod label keys to select which pods will
+             * be taken into consideration. The keys are used to lookup values from the
+             * incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+             * to select the group of existing pods which pods will be taken into consideration
+             * for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+             * pod labels will be ignored. The default value is empty.
+             * The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+             * Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+             */
+            mismatchLabelKeys: string[];
+            namespaceSelector: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPodAntiAffinityRequiredDuringSchedulingIgnoredDuringExecutionNamespaceSelectorPatch;
+            /**
+             * namespaces specifies a static list of namespace names that the term applies to.
+             * The term is applied to the union of the namespaces listed in this field
+             * and the ones selected by namespaceSelector.
+             * null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+             */
+            namespaces: string[];
+            /**
+             * This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+             * the labelSelector in the specified namespaces, where co-located is defined as running on a node
+             * whose value of the label with key topologyKey matches that of any node on which any of the
+             * selected pods is running.
+             * Empty topologyKey is not allowed.
+             */
+            topologyKey: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecrets {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * LocalObjectReference contains enough information to let you locate the
+         * referenced object inside the same namespace.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch {
+            /**
+             * Name of the referent.
+             * This field is effectively required, but due to backwards compatibility is
+             * allowed to be empty. Instances of this type with an empty value here are
+             * almost certainly wrong.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * PodSpec defines overrides for the HTTP01 challenge solver pod.
+         * Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields.
+         * All other fields will be ignored.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecPatch {
+            affinity: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecAffinityPatch;
+            /**
+             * If specified, the pod's imagePullSecrets
+             */
+            imagePullSecrets: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecImagePullSecretsPatch[];
+            /**
+             * NodeSelector is a selector which must be true for the pod to fit on a node.
+             * Selector which must match a node's labels for the pod to be scheduled on that node.
+             * More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+             */
+            nodeSelector: {[key: string]: string};
+            /**
+             * If specified, the pod's priorityClassName.
+             */
+            priorityClassName: string;
+            resources: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch;
+            securityContext: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch;
+            /**
+             * If specified, the pod's service account
+             */
+            serviceAccountName: string;
+            /**
+             * If specified, the pod's tolerations.
+             */
+            tolerations: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch[];
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResources {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's resource requirements.
+         * These values override the global resource configuration flags.
+         * Note that when only specifying resource limits, ensure they are greater than or equal
+         * to the corresponding global resource requests configured via controller flags
+         * (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory).
+         * Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecResourcesPatch {
+            /**
+             * Limits describes the maximum amount of compute resources allowed.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            limits: {[key: string]: number | string};
+            /**
+             * Requests describes the minimum amount of compute resources required.
+             * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+             * otherwise to the global values configured via controller flags. Requests cannot exceed Limits.
+             * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+             */
+            requests: {[key: string]: number | string};
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContext {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions;
+            seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls[];
+        }
+
+        /**
+         * If specified, the pod's security context
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextPatch {
+            /**
+             * A special supplemental group that applies to all containers in a pod.
+             * Some volume types allow the Kubelet to change the ownership of that volume
+             * to be owned by the pod:
+             *
+             * 1. The owning GID will be the FSGroup
+             * 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+             * 3. The permission bits are OR'd with rw-rw----
+             *
+             * If unset, the Kubelet will not modify the ownership and permissions of any volume.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroup: number;
+            /**
+             * fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+             * before being exposed inside Pod. This field will only apply to
+             * volume types which support fsGroup based ownership(and permissions).
+             * It will have no effect on ephemeral volume types such as: secret, configmaps
+             * and emptydir.
+             * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            fsGroupChangePolicy: string;
+            /**
+             * The GID to run the entrypoint of the container process.
+             * Uses runtime default if unset.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsGroup: number;
+            /**
+             * Indicates that the container must run as a non-root user.
+             * If true, the Kubelet will validate the image at runtime to ensure that it
+             * does not run as UID 0 (root) and fail to start the container if it does.
+             * If unset or false, no such validation will be performed.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence.
+             */
+            runAsNonRoot: boolean;
+            /**
+             * The UID to run the entrypoint of the container process.
+             * Defaults to user specified in image metadata if unspecified.
+             * May also be set in SecurityContext.  If set in both SecurityContext and
+             * PodSecurityContext, the value specified in SecurityContext takes precedence
+             * for that container.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            runAsUser: number;
+            seLinuxOptions: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch;
+            seccompProfile: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch;
+            /**
+             * A list of groups applied to the first process run in each container, in addition
+             * to the container's primary GID, the fsGroup (if specified), and group memberships
+             * defined in the container image for the uid of the container process. If unspecified,
+             * no additional groups are added to any container. Note that group memberships
+             * defined in the container image for the uid of the container process are still effective,
+             * even if they are not included in this list.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            supplementalGroups: number[];
+            /**
+             * Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+             * sysctls (by the container runtime) might fail to launch.
+             * Note that this field cannot be set when spec.os.name is windows.
+             */
+            sysctls: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch[];
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptions {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The SELinux context to be applied to all containers.
+         * If unspecified, the container runtime will allocate a random SELinux context for each
+         * container.  May also be set in SecurityContext.  If set in
+         * both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+         * takes precedence for that container.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeLinuxOptionsPatch {
+            /**
+             * Level is SELinux level label that applies to the container.
+             */
+            level: string;
+            /**
+             * Role is a SELinux role label that applies to the container.
+             */
+            role: string;
+            /**
+             * Type is a SELinux type label that applies to the container.
+             */
+            type: string;
+            /**
+             * User is a SELinux user label that applies to the container.
+             */
+            user: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfile {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * The seccomp options to use by the containers in this pod.
+         * Note that this field cannot be set when spec.os.name is windows.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSeccompProfilePatch {
+            /**
+             * localhostProfile indicates a profile defined in a file on the node should be used.
+             * The profile must be preconfigured on the node to work.
+             * Must be a descending path, relative to the kubelet's configured seccomp profile location.
+             * Must be set if type is "Localhost". Must NOT be set for any other type.
+             */
+            localhostProfile: string;
+            /**
+             * type indicates which kind of seccomp profile will be applied.
+             * Valid options are:
+             *
+             * Localhost - a profile defined in a file on the node should be used.
+             * RuntimeDefault - the container runtime default profile should be used.
+             * Unconfined - no profile should be applied.
+             */
+            type: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctls {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * Sysctl defines a kernel parameter to be set
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecSecurityContextSysctlsPatch {
+            /**
+             * Name of a property to set
+             */
+            name: string;
+            /**
+             * Value of a property to set
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerations {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * The pod this Toleration is attached to tolerates any taint that matches
+         * the triple <key,value,effect> using the matching operator <operator>.
+         */
+        export interface IssuerSpecAcmeSolversHttp01IngressPodTemplateSpecTolerationsPatch {
+            /**
+             * Effect indicates the taint effect to match. Empty means match all taint effects.
+             * When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+             */
+            effect: string;
+            /**
+             * Key is the taint key that the toleration applies to. Empty means match all taint keys.
+             * If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+             */
+            key: string;
+            /**
+             * Operator represents a key's relationship to the value.
+             * Valid operators are Exists and Equal. Defaults to Equal.
+             * Exists is equivalent to wildcard for value, so that a pod can
+             * tolerate all taints of a particular category.
+             */
+            operator: string;
+            /**
+             * TolerationSeconds represents the period of time the toleration (which must be
+             * of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+             * it is not set, which means tolerate the taint forever (do not evict). Zero and
+             * negative values will be treated as 0 (evict immediately) by the system.
+             */
+            tolerationSeconds: number;
+            /**
+             * Value is the taint value the toleration matches to.
+             * If the operator is Exists, the value should be empty, otherwise just a regular string.
+             */
+            value: string;
+        }
+
+        /**
+         * Configures cert-manager to attempt to complete authorizations by
+         * performing the HTTP01 challenge flow.
+         * It is not possible to obtain certificates for wildcard domain names
+         * (e.g., `*.example.com`) using the HTTP01 challenge mechanism.
+         */
+        export interface IssuerSpecAcmeSolversHttp01Patch {
+            gatewayHTTPRoute: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01GatewayHTTPRoutePatch;
+            ingress: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01IngressPatch;
+        }
+
+        /**
+         * An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+         * A selector may be provided to use different solving strategies for different DNS names.
+         * Only one of HTTP01 or DNS01 must be provided.
+         */
+        export interface IssuerSpecAcmeSolversPatch {
+            dns01: outputs.cert_manager.v1.IssuerSpecAcmeSolversDns01Patch;
+            http01: outputs.cert_manager.v1.IssuerSpecAcmeSolversHttp01Patch;
+            selector: outputs.cert_manager.v1.IssuerSpecAcmeSolversSelectorPatch;
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface IssuerSpecAcmeSolversSelector {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * Selector selects a set of DNSNames on the Certificate resource that
+         * should be solved using this challenge solver.
+         * If not specified, the solver will be treated as the 'default' solver
+         * with the lowest priority, i.e. if any other solver has a more specific
+         * match, it will be used instead.
+         */
+        export interface IssuerSpecAcmeSolversSelectorPatch {
+            /**
+             * List of DNSNames that this solver will be used to solve.
+             * If specified and a match is found, a dnsNames selector will take
+             * precedence over a dnsZones selector.
+             * If multiple solvers match with the same dnsNames value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsNames: string[];
+            /**
+             * List of DNSZones that this solver will be used to solve.
+             * The most specific DNS zone match specified here will take precedence
+             * over other DNS zone matches, so a solver specifying sys.example.com
+             * will be selected over one specifying example.com for the domain
+             * www.sys.example.com.
+             * If multiple solvers match with the same dnsZones value, the solver
+             * with the most matching labels in matchLabels will be selected.
+             * If neither has more matches, the solver defined earlier in the list
+             * will be selected.
+             */
+            dnsZones: string[];
+            /**
+             * A label selector that is used to refine the set of certificate's that
+             * this challenge solver will apply to.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        export interface IssuerSpecCa {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints: string[];
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs: string[];
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers: string[];
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName: string;
+        }
+
+        /**
+         * CA configures this issuer to sign certificates using a signing CA keypair
+         * stored in a Secret resource.
+         * This is used to build internal PKIs that are managed by cert-manager.
+         */
+        export interface IssuerSpecCaPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set, certificates will be issued without distribution points set.
+             */
+            crlDistributionPoints: string[];
+            /**
+             * IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates
+             * it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details.
+             * As an example, such a URL might be "http://ca.domain.com/ca.crt".
+             */
+            issuingCertificateURLs: string[];
+            /**
+             * The OCSP server list is an X.509 v3 extension that defines a list of
+             * URLs of OCSP responders. The OCSP responders can be queried for the
+             * revocation status of an issued certificate. If not set, the
+             * certificate will be issued with no OCSP servers set. For example, an
+             * OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+             */
+            ocspServers: string[];
+            /**
+             * SecretName is the name of the secret used to sign Certificates issued
+             * by this Issuer.
+             */
+            secretName: string;
+        }
+
+        /**
+         * Desired state of the Issuer resource.
+         */
+        export interface IssuerSpecPatch {
+            acme: outputs.cert_manager.v1.IssuerSpecAcmePatch;
+            ca: outputs.cert_manager.v1.IssuerSpecCaPatch;
+            selfSigned: outputs.cert_manager.v1.IssuerSpecSelfSignedPatch;
+            vault: outputs.cert_manager.v1.IssuerSpecVaultPatch;
+            venafi: outputs.cert_manager.v1.IssuerSpecVenafiPatch;
+        }
+
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        export interface IssuerSpecSelfSigned {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints: string[];
+        }
+
+        /**
+         * SelfSigned configures this issuer to 'self sign' certificates using the
+         * private key used to create the CertificateRequest object.
+         */
+        export interface IssuerSpecSelfSignedPatch {
+            /**
+             * The CRL distribution points is an X.509 v3 certificate extension which identifies
+             * the location of the CRL from which the revocation of this certificate can be checked.
+             * If not set certificate will be issued without CDP. Values are strings.
+             */
+            crlDistributionPoints: string[];
+        }
+
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        export interface IssuerSpecVault {
+            auth: outputs.cert_manager.v1.IssuerSpecVaultAuth;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVaultCaBundleSecretRef;
+            clientCertSecretRef: outputs.cert_manager.v1.IssuerSpecVaultClientCertSecretRef;
+            clientKeySecretRef: outputs.cert_manager.v1.IssuerSpecVaultClientKeySecretRef;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace: string;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path: string;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server: string;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        export interface IssuerSpecVaultAuth {
+            appRole: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRole;
+            clientCertificate: outputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificate;
+            kubernetes: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetes;
+            tokenSecretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRef;
+        }
+
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        export interface IssuerSpecVaultAuthAppRole {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path: string;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId: string;
+            secretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRoleSecretRef;
+        }
+
+        /**
+         * AppRole authenticates with Vault using the App Role auth mechanism,
+         * with the role and secret stored in a Kubernetes Secret resource.
+         */
+        export interface IssuerSpecVaultAuthAppRolePatch {
+            /**
+             * Path where the App Role authentication backend is mounted in Vault, e.g:
+             * "approle"
+             */
+            path: string;
+            /**
+             * RoleID configured in the App Role authentication backend when setting
+             * up the authentication backend in Vault.
+             */
+            roleId: string;
+            secretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRoleSecretRefPatch;
+        }
+
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        export interface IssuerSpecVaultAuthAppRoleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a key in a Secret that contains the App Role secret used
+         * to authenticate with Vault.
+         * The `key` field must be specified and denotes which entry within the Secret
+         * resource is used as the app role secret.
+         */
+        export interface IssuerSpecVaultAuthAppRoleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        export interface IssuerSpecVaultAuthClientCertificate {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath: string;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name: string;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName: string;
+        }
+
+        /**
+         * ClientCertificate authenticates with Vault by presenting a client
+         * certificate during the request's TLS handshake.
+         * Works only when using HTTPS protocol.
+         */
+        export interface IssuerSpecVaultAuthClientCertificatePatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/cert" will be used.
+             */
+            mountPath: string;
+            /**
+             * Name of the certificate role to authenticate against.
+             * If not set, matching any certificate role, if available.
+             */
+            name: string;
+            /**
+             * Reference to Kubernetes Secret of type "kubernetes.io/tls" (hence containing
+             * tls.crt and tls.key) used to authenticate to Vault using TLS client
+             * authentication.
+             */
+            secretName: string;
+        }
+
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        export interface IssuerSpecVaultAuthKubernetes {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath: string;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role: string;
+            secretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesSecretRef;
+            serviceAccountRef: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesServiceAccountRef;
+        }
+
+        /**
+         * Kubernetes authenticates with Vault by passing the ServiceAccount
+         * token stored in the named Secret resource to the Vault server.
+         */
+        export interface IssuerSpecVaultAuthKubernetesPatch {
+            /**
+             * The Vault mountPath here is the mount path to use when authenticating with
+             * Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+             * `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+             * default value "/v1/auth/kubernetes" will be used.
+             */
+            mountPath: string;
+            /**
+             * A required field containing the Vault Role to assume. A Role binds a
+             * Kubernetes ServiceAccount with a set of Vault policies.
+             */
+            role: string;
+            secretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesSecretRefPatch;
+            serviceAccountRef: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesServiceAccountRefPatch;
+        }
+
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        export interface IssuerSpecVaultAuthKubernetesSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * The required Secret field containing a Kubernetes ServiceAccount JWT used
+         * for authenticating with Vault. Use of 'ambient credentials' is not
+         * supported.
+         */
+        export interface IssuerSpecVaultAuthKubernetesSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        export interface IssuerSpecVaultAuthKubernetesServiceAccountRef {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * A reference to a service account that will be used to request a bound
+         * token (also known as "projected token"). Compared to using "secretRef",
+         * using this field means that you don't rely on statically bound tokens. To
+         * use this field, you must configure an RBAC rule to let cert-manager
+         * request a token.
+         */
+        export interface IssuerSpecVaultAuthKubernetesServiceAccountRefPatch {
+            /**
+             * TokenAudiences is an optional list of extra audiences to include in the token passed to Vault. The default token
+             * consisting of the issuer's namespace and name is always included.
+             */
+            audiences: string[];
+            /**
+             * Name of the ServiceAccount used to request a token.
+             */
+            name: string;
+        }
+
+        /**
+         * Auth configures how cert-manager authenticates with the Vault server.
+         */
+        export interface IssuerSpecVaultAuthPatch {
+            appRole: outputs.cert_manager.v1.IssuerSpecVaultAuthAppRolePatch;
+            clientCertificate: outputs.cert_manager.v1.IssuerSpecVaultAuthClientCertificatePatch;
+            kubernetes: outputs.cert_manager.v1.IssuerSpecVaultAuthKubernetesPatch;
+            tokenSecretRef: outputs.cert_manager.v1.IssuerSpecVaultAuthTokenSecretRefPatch;
+        }
+
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        export interface IssuerSpecVaultAuthTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * TokenSecretRef authenticates with Vault by presenting a token.
+         */
+        export interface IssuerSpecVaultAuthTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        export interface IssuerSpecVaultCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a bundle of PEM-encoded CAs to use when
+         * verifying the certificate chain presented by Vault when using HTTPS.
+         * Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         * If no key for the Secret is specified, cert-manager will default to 'ca.crt'.
+         */
+        export interface IssuerSpecVaultCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        export interface IssuerSpecVaultClientCertSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Certificate to use when the
+         * Vault server requires mTLS.
+         */
+        export interface IssuerSpecVaultClientCertSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        export interface IssuerSpecVaultClientKeySecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a PEM-encoded Client Private Key to use when the
+         * Vault server requires mTLS.
+         */
+        export interface IssuerSpecVaultClientKeySecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Vault configures this issuer to sign certificates using a HashiCorp Vault
+         * PKI backend.
+         */
+        export interface IssuerSpecVaultPatch {
+            auth: outputs.cert_manager.v1.IssuerSpecVaultAuthPatch;
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by Vault. Only used if using HTTPS to connect to Vault and
+             * ignored for HTTP connections.
+             * Mutually exclusive with CABundleSecretRef.
+             * If neither CABundle nor CABundleSecretRef are defined, the certificate bundle in
+             * the cert-manager controller container is used to validate the TLS connection.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVaultCaBundleSecretRefPatch;
+            clientCertSecretRef: outputs.cert_manager.v1.IssuerSpecVaultClientCertSecretRefPatch;
+            clientKeySecretRef: outputs.cert_manager.v1.IssuerSpecVaultClientKeySecretRefPatch;
+            /**
+             * Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+             * More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+             */
+            namespace: string;
+            /**
+             * Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+             * "my_pki_mount/sign/my-role-name".
+             */
+            path: string;
+            /**
+             * Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+             */
+            server: string;
+            /**
+             * ServerName is used to verify the hostname on the returned certificates
+             * by the Vault server.
+             */
+            serverName: string;
+        }
+
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        export interface IssuerSpecVenafi {
+            cloud: outputs.cert_manager.v1.IssuerSpecVenafiCloud;
+            tpp: outputs.cert_manager.v1.IssuerSpecVenafiTpp;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone: string;
+        }
+
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface IssuerSpecVenafiCloud {
+            apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRef;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url: string;
+        }
+
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        export interface IssuerSpecVenafiCloudApiTokenSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+         */
+        export interface IssuerSpecVenafiCloudApiTokenSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Cloud specifies the Venafi cloud configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface IssuerSpecVenafiCloudPatch {
+            apiTokenSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiCloudApiTokenSecretRefPatch;
+            /**
+             * URL is the base URL for Venafi Cloud.
+             * Defaults to "https://api.venafi.cloud/".
+             */
+            url: string;
+        }
+
+        /**
+         * Venafi configures this issuer to sign certificates using a Venafi TPP
+         * or Venafi Cloud policy zone.
+         */
+        export interface IssuerSpecVenafiPatch {
+            cloud: outputs.cert_manager.v1.IssuerSpecVenafiCloudPatch;
+            tpp: outputs.cert_manager.v1.IssuerSpecVenafiTppPatch;
+            /**
+             * Zone is the Venafi Policy Zone to use for this issuer.
+             * All requests made to the Venafi platform will be restricted by the named
+             * zone policy.
+             * This field is required.
+             */
+            zone: string;
+        }
+
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface IssuerSpecVenafiTpp {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRef;
+            credentialsRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRef;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url: string;
+        }
+
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        export interface IssuerSpecVenafiTppCaBundleSecretRef {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * Reference to a Secret containing a base64-encoded bundle of PEM CAs
+         * which will be used to validate the certificate chain presented by the TPP server.
+         * Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle.
+         * If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in
+         * the cert-manager controller container is used to validate the TLS connection.
+         */
+        export interface IssuerSpecVenafiTppCaBundleSecretRefPatch {
+            /**
+             * The key of the entry in the Secret resource's `data` field to be used.
+             * Some instances of this field may be defaulted, in others it may be
+             * required.
+             */
+            key: string;
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        export interface IssuerSpecVenafiTppCredentialsRef {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials.
+         * The secret must contain the key 'access-token' for the Access Token Authentication,
+         * or two keys, 'username' and 'password' for the API Keys Authentication.
+         */
+        export interface IssuerSpecVenafiTppCredentialsRefPatch {
+            /**
+             * Name of the resource being referred to.
+             * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+             */
+            name: string;
+        }
+
+        /**
+         * TPP specifies Trust Protection Platform configuration settings.
+         * Only one of TPP or Cloud may be specified.
+         */
+        export interface IssuerSpecVenafiTppPatch {
+            /**
+             * Base64-encoded bundle of PEM CAs which will be used to validate the certificate
+             * chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP.
+             * If undefined, the certificate bundle in the cert-manager controller container
+             * is used to validate the chain.
+             */
+            caBundle: string;
+            caBundleSecretRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCaBundleSecretRefPatch;
+            credentialsRef: outputs.cert_manager.v1.IssuerSpecVenafiTppCredentialsRefPatch;
+            /**
+             * URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+             * for example: "https://tpp.example.com/vedsdk".
+             */
+            url: string;
+        }
+
+        /**
+         * Status of the Issuer. This is set and managed automatically.
+         */
+        export interface IssuerStatus {
+            acme: outputs.cert_manager.v1.IssuerStatusAcme;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions: outputs.cert_manager.v1.IssuerStatusConditions[];
+        }
+
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        export interface IssuerStatusAcme {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash: string;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail: string;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri: string;
+        }
+
+        /**
+         * ACME specific status options.
+         * This field should only be set if the Issuer is configured to use an ACME
+         * server to issue certificates.
+         */
+        export interface IssuerStatusAcmePatch {
+            /**
+             * LastPrivateKeyHash is a hash of the private key associated with the latest
+             * registered ACME account, in order to track changes made to registered account
+             * associated with the Issuer
+             */
+            lastPrivateKeyHash: string;
+            /**
+             * LastRegisteredEmail is the email associated with the latest registered
+             * ACME account, in order to track changes made to registered account
+             * associated with the  Issuer
+             */
+            lastRegisteredEmail: string;
+            /**
+             * URI is the unique account identifier, which can also be used to retrieve
+             * account details from the CA
+             */
+            uri: string;
+        }
+
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        export interface IssuerStatusConditions {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type: string;
+        }
+
+        /**
+         * IssuerCondition contains condition information for an Issuer.
+         */
+        export interface IssuerStatusConditionsPatch {
+            /**
+             * LastTransitionTime is the timestamp corresponding to the last status
+             * change of this condition.
+             */
+            lastTransitionTime: string;
+            /**
+             * Message is a human readable description of the details of the last
+             * transition, complementing reason.
+             */
+            message: string;
+            /**
+             * If set, this represents the .metadata.generation that the condition was
+             * set based upon.
+             * For instance, if .metadata.generation is currently 12, but the
+             * .status.condition[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the Issuer.
+             */
+            observedGeneration: number;
+            /**
+             * Reason is a brief machine readable explanation for the condition's last
+             * transition.
+             */
+            reason: string;
+            /**
+             * Status of the condition, one of (`True`, `False`, `Unknown`).
+             */
+            status: string;
+            /**
+             * Type of the condition, known values are (`Ready`).
+             */
+            type: string;
+        }
+
+        /**
+         * Status of the Issuer. This is set and managed automatically.
+         */
+        export interface IssuerStatusPatch {
+            acme: outputs.cert_manager.v1.IssuerStatusAcmePatch;
+            /**
+             * List of status conditions to indicate the status of a CertificateRequest.
+             * Known condition types are `Ready`.
+             */
+            conditions: outputs.cert_manager.v1.IssuerStatusConditionsPatch[];
+        }
+
+    }
+}
+
+export namespace gateway {
+    export namespace v1 {
+        /**
+         * BackendTLSPolicy provides a way to configure how a Gateway
+         * connects to a Backend via TLS.
+         */
+        export interface BackendTLSPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "BackendTLSPolicy";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.BackendTLSPolicySpec;
+            status: outputs.gateway.v1.BackendTLSPolicyStatus;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicySpec {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs: outputs.gateway.v1.BackendTLSPolicySpecTargetRefs[];
+            validation: outputs.gateway.v1.BackendTLSPolicySpecValidation;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicySpecPatch {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs: outputs.gateway.v1.BackendTLSPolicySpecTargetRefsPatch[];
+            validation: outputs.gateway.v1.BackendTLSPolicySpecValidationPatch;
+        }
+
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        export interface BackendTLSPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName: string;
+        }
+
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        export interface BackendTLSPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        export interface BackendTLSPolicySpecValidation {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs: outputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefs[];
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames: outputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNames[];
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates: string;
+        }
+
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface BackendTLSPolicySpecValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface BackendTLSPolicySpecValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        export interface BackendTLSPolicySpecValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs: outputs.gateway.v1.BackendTLSPolicySpecValidationCaCertificateRefsPatch[];
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames: outputs.gateway.v1.BackendTLSPolicySpecValidationSubjectAltNamesPatch[];
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates: string;
+        }
+
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        export interface BackendTLSPolicySpecValidationSubjectAltNames {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type: string;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri: string;
+        }
+
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        export interface BackendTLSPolicySpecValidationSubjectAltNamesPatch {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type: string;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri: string;
+        }
+
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1.BackendTLSPolicyStatusAncestors[];
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface BackendTLSPolicyStatusAncestors {
+            ancestorRef: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRef;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface BackendTLSPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface BackendTLSPolicyStatusAncestorsAncestorRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface BackendTLSPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface BackendTLSPolicyStatusAncestorsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface BackendTLSPolicyStatusAncestorsPatch {
+            ancestorRef: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsAncestorRefPatch;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicyStatusPatch {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1.BackendTLSPolicyStatusAncestorsPatch[];
+        }
+
+        /**
+         * GRPCRoute provides a way to route gRPC requests. This includes the capability
+         * to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+         * Filters can be used to specify additional processing steps. Backends specify
+         * where matching requests will be routed.
+         *
+         * GRPCRoute falls under extended support within the Gateway API. Within the
+         * following specification, the word "MUST" indicates that an implementation
+         * supporting GRPCRoute must conform to the indicated requirement, but an
+         * implementation not supporting this route type need not follow the requirement
+         * unless explicitly indicated.
+         *
+         * Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+         * accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+         * ALPN. If the implementation does not support this, then it MUST set the
+         * "Accepted" condition to "False" for the affected listener with a reason of
+         * "UnsupportedProtocol".  Implementations MAY also accept HTTP/2 connections
+         * with an upgrade from HTTP/1.
+         *
+         * Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+         * support HTTP/2 over cleartext TCP (h2c,
+         * https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+         * upgrade from HTTP/1.1, i.e. with prior knowledge
+         * (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+         * does not support this, then it MUST set the "Accepted" condition to "False"
+         * for the affected listener with a reason of "UnsupportedProtocol".
+         * Implementations MAY also accept HTTP/2 connections with an upgrade from
+         * HTTP/1, i.e. without prior knowledge.
+         */
+        export interface GRPCRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "GRPCRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.GRPCRouteSpec;
+            status: outputs.gateway.v1.GRPCRouteStatus;
+        }
+
+        /**
+         * Spec defines the desired state of GRPCRoute.
+         */
+        export interface GRPCRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames to match against the GRPC
+             * Host header to select a GRPCRoute to process the request. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label MUST appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and GRPCRoute, there
+             * MUST be at least one intersecting hostname for the GRPCRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, any
+             * GRPCRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * GRPCRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` MUST NOT be considered for a match.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, and none
+             * match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+             * the implementation. The implementation MUST raise an 'Accepted' Condition
+             * with a status of `False` in the corresponding RouteParentStatus.
+             *
+             * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+             * Listener and that listener already has another Route (B) of the other
+             * type attached and the intersection of the hostnames of A and B is
+             * non-empty, then the implementation MUST accept exactly one of these two
+             * routes, determined by the following criteria, in order:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * The rejected Route MUST raise an 'Accepted' condition with a status of
+             * 'False' in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1.GRPCRouteSpecParentRefs[];
+            /**
+             * Rules are a list of GRPC matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1.GRPCRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface GRPCRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface GRPCRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Spec defines the desired state of GRPCRoute.
+         */
+        export interface GRPCRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames to match against the GRPC
+             * Host header to select a GRPCRoute to process the request. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label MUST appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and GRPCRoute, there
+             * MUST be at least one intersecting hostname for the GRPCRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, any
+             * GRPCRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * GRPCRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` MUST NOT be considered for a match.
+             *
+             * If both the Listener and GRPCRoute have specified hostnames, and none
+             * match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+             * the implementation. The implementation MUST raise an 'Accepted' Condition
+             * with a status of `False` in the corresponding RouteParentStatus.
+             *
+             * If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+             * Listener and that listener already has another Route (B) of the other
+             * type attached and the intersection of the hostnames of A and B is
+             * non-empty, then the implementation MUST accept exactly one of these two
+             * routes, determined by the following criteria, in order:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * The rejected Route MUST raise an 'Accepted' condition with a status of
+             * 'False' in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1.GRPCRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of GRPC matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1.GRPCRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * GRPCRouteRule defines the semantics for matching a gRPC request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface GRPCRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive an `UNAVAILABLE` status.
+             *
+             * See the GRPCBackendRef definition for the rules about what makes a single
+             * GRPCBackendRef invalid.
+             *
+             * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive an `UNAVAILABLE` status.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+             * Implementations may choose how that 50 percent is determined.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefs[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * The effects of ordering of multiple behaviors are currently unspecified.
+             * This can change in the future based on feedback during the alpha stage.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations that support
+             *   GRPCRoute.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * If an implementation cannot support a combination of filters, it must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1.GRPCRouteSpecRulesFilters[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * gRPC requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - method:
+             *     service: foo.bar
+             *   headers:
+             *     values:
+             *       version: 2
+             * - method:
+             *     service: foo.bar.v2
+             * ```
+             *
+             * For a request to match against this rule, it MUST satisfy
+             * EITHER of the two conditions:
+             *
+             * - service of foo.bar AND contains the header `version: 2`
+             * - service of foo.bar.v2
+             *
+             * See the documentation for GRPCRouteMatch on how to specify multiple
+             * match conditions to be ANDed together.
+             *
+             * If no matches are specified, the implementation MUST match every gRPC request.
+             *
+             * Proxy or Load Balancer routing configuration generated from GRPCRoutes
+             * MUST prioritize rules based on the following criteria, continuing on
+             * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+             * Precedence MUST be given to the rule with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             * * Characters in a matching service.
+             * * Characters in a matching method.
+             * * Header matches.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within the Route that has been given precedence,
+             * matching precedence MUST be granted to the first matching rule meeting
+             * the above criteria.
+             */
+            matches: outputs.gateway.v1.GRPCRouteSpecRulesMatches[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            sessionPersistence: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistence;
+        }
+
+        /**
+         * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface GRPCRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level MUST be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in GRPCRouteRule.)
+             */
+            filters: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFilters[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFilters {
+            extensionRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersExtensionRef;
+            requestHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirror;
+            responseHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type: string;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersPatch {
+            extensionRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersExtensionRefPatch;
+            requestHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch;
+            responseHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type: string;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface GRPCRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level MUST be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in GRPCRouteRule.)
+             */
+            filters: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsFiltersPatch[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface GRPCRouteSpecRulesFilters {
+            extensionRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersExtensionRef;
+            requestHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirror;
+            responseHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type: string;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        export interface GRPCRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * Support: Implementation-specific
+         *
+         * This filter can be used multiple times within the same rule.
+         */
+        export interface GRPCRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * GRPCRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. GRPCRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface GRPCRouteSpecRulesFiltersPatch {
+            extensionRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersExtensionRefPatch;
+            requestHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorPatch;
+            responseHeaderModifier: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations supporting GRPCRoute MUST support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` MUST be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             */
+            type: string;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirror {
+            backendRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1.GRPCRouteSpecRulesFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface GRPCRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * GRPCRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a gRPC request only if its service
+         * is `foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * matches:
+         *   - method:
+         *     type: Exact
+         *     service: "foo"
+         *     headers:
+         *   - name: "version"
+         *     value "v1"
+         *
+         * ```
+         */
+        export interface GRPCRouteSpecRulesMatches {
+            /**
+             * Headers specifies gRPC request header matchers. Multiple match values are
+             * ANDed together, meaning, a request MUST match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1.GRPCRouteSpecRulesMatchesHeaders[];
+            method: outputs.gateway.v1.GRPCRouteSpecRulesMatchesMethod;
+        }
+
+        /**
+         * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+         * headers.
+         */
+        export interface GRPCRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the gRPC Header to be matched.
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             */
+            type: string;
+            /**
+             * Value is the value of the gRPC Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+         * headers.
+         */
+        export interface GRPCRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the gRPC Header to be matched.
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             */
+            type: string;
+            /**
+             * Value is the value of the gRPC Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * Method specifies a gRPC request service/method matcher. If this field is
+         * not specified, all services and methods will match.
+         */
+        export interface GRPCRouteSpecRulesMatchesMethod {
+            /**
+             * Value of the method to match against. If left empty or omitted, will
+             * match all services.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            method: string;
+            /**
+             * Value of the service to match against. If left empty or omitted, will
+             * match any service.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            service: string;
+            /**
+             * Type specifies how to match against the service and/or method.
+             * Support: Core (Exact with service and method specified)
+             *
+             * Support: Implementation-specific (Exact with method specified but no service specified)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+        }
+
+        /**
+         * Method specifies a gRPC request service/method matcher. If this field is
+         * not specified, all services and methods will match.
+         */
+        export interface GRPCRouteSpecRulesMatchesMethodPatch {
+            /**
+             * Value of the method to match against. If left empty or omitted, will
+             * match all services.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            method: string;
+            /**
+             * Value of the service to match against. If left empty or omitted, will
+             * match any service.
+             *
+             * At least one of Service and Method MUST be a non-empty string.
+             */
+            service: string;
+            /**
+             * Type specifies how to match against the service and/or method.
+             * Support: Core (Exact with service and method specified)
+             *
+             * Support: Implementation-specific (Exact with method specified but no service specified)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+        }
+
+        /**
+         * GRPCRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a gRPC request only if its service
+         * is `foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * matches:
+         *   - method:
+         *     type: Exact
+         *     service: "foo"
+         *     headers:
+         *   - name: "version"
+         *     value "v1"
+         *
+         * ```
+         */
+        export interface GRPCRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies gRPC request header matchers. Multiple match values are
+             * ANDed together, meaning, a request MUST match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1.GRPCRouteSpecRulesMatchesHeadersPatch[];
+            method: outputs.gateway.v1.GRPCRouteSpecRulesMatchesMethodPatch;
+        }
+
+        /**
+         * GRPCRouteRule defines the semantics for matching a gRPC request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface GRPCRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive an `UNAVAILABLE` status.
+             *
+             * See the GRPCBackendRef definition for the rules about what makes a single
+             * GRPCBackendRef invalid.
+             *
+             * When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive an `UNAVAILABLE` status.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+             * Implementations may choose how that 50 percent is determined.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1.GRPCRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * The effects of ordering of multiple behaviors are currently unspecified.
+             * This can change in the future based on feedback during the alpha stage.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations that support
+             *   GRPCRoute.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * If an implementation cannot support a combination of filters, it must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1.GRPCRouteSpecRulesFiltersPatch[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * gRPC requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - method:
+             *     service: foo.bar
+             *   headers:
+             *     values:
+             *       version: 2
+             * - method:
+             *     service: foo.bar.v2
+             * ```
+             *
+             * For a request to match against this rule, it MUST satisfy
+             * EITHER of the two conditions:
+             *
+             * - service of foo.bar AND contains the header `version: 2`
+             * - service of foo.bar.v2
+             *
+             * See the documentation for GRPCRouteMatch on how to specify multiple
+             * match conditions to be ANDed together.
+             *
+             * If no matches are specified, the implementation MUST match every gRPC request.
+             *
+             * Proxy or Load Balancer routing configuration generated from GRPCRoutes
+             * MUST prioritize rules based on the following criteria, continuing on
+             * ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+             * Precedence MUST be given to the rule with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             * * Characters in a matching service.
+             * * Characters in a matching method.
+             * * Header matches.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within the Route that has been given precedence,
+             * matching precedence MUST be granted to the first matching rule meeting
+             * the above criteria.
+             */
+            matches: outputs.gateway.v1.GRPCRouteSpecRulesMatchesPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            sessionPersistence: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistencePatch;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistenceCookieConfig;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface GRPCRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1.GRPCRouteSpecRulesSessionPersistenceCookieConfigPatch;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+
+        /**
+         * Status defines the current state of GRPCRoute.
+         */
+        export interface GRPCRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1.GRPCRouteStatusParents[];
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface GRPCRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1.GRPCRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1.GRPCRouteStatusParentsParentRef;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GRPCRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GRPCRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface GRPCRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface GRPCRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface GRPCRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1.GRPCRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1.GRPCRouteStatusParentsParentRefPatch;
+        }
+
+        /**
+         * Status defines the current state of GRPCRoute.
+         */
+        export interface GRPCRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1.GRPCRouteStatusParentsPatch[];
+        }
+
+        /**
+         * Gateway represents an instance of a service-traffic handling infrastructure
+         * by binding Listeners to a set of IP addresses.
+         */
+        export interface Gateway {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Gateway";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.GatewaySpec;
+            status: outputs.gateway.v1.GatewayStatus;
+        }
+
+        /**
+         * GatewayClass describes a class of Gateways available to the user for creating
+         * Gateway resources.
+         *
+         * It is recommended that this resource be used as a template for Gateways. This
+         * means that a Gateway is based on the state of the GatewayClass at the time it
+         * was created and changes to the GatewayClass or associated parameters are not
+         * propagated down to existing Gateways. This recommendation is intended to
+         * limit the blast radius of changes to GatewayClass or associated parameters.
+         * If implementations choose to propagate GatewayClass changes to existing
+         * Gateways, that MUST be clearly documented by the implementation.
+         *
+         * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+         * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+         * associated GatewayClass. This ensures that a GatewayClass associated with a
+         * Gateway is not deleted while in use.
+         *
+         * GatewayClass is a Cluster level resource.
+         */
+        export interface GatewayClass {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "GatewayClass";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.GatewayClassSpec;
+            status: outputs.gateway.v1.GatewayClassStatus;
+        }
+
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        export interface GatewayClassSpec {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1.GatewayClassSpecParametersRef;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewayClassSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewayClassSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        export interface GatewayClassSpecPatch {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1.GatewayClassSpecParametersRefPatch;
+        }
+
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        export interface GatewayClassStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1.GatewayClassStatusConditions[];
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1.GatewayClassStatusSupportedFeatures[];
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayClassStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayClassStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        export interface GatewayClassStatusPatch {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1.GatewayClassStatusConditionsPatch[];
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1.GatewayClassStatusSupportedFeaturesPatch[];
+        }
+
+        export interface GatewayClassStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+
+        export interface GatewayClassStatusSupportedFeaturesPatch {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        export interface GatewaySpec {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses: outputs.gateway.v1.GatewaySpecAddresses[];
+            allowedListeners: outputs.gateway.v1.GatewaySpecAllowedListeners;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope: string;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName: string;
+            infrastructure: outputs.gateway.v1.GatewaySpecInfrastructure;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners: outputs.gateway.v1.GatewaySpecListeners[];
+            tls: outputs.gateway.v1.GatewaySpecTls;
+        }
+
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        export interface GatewaySpecAddresses {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        export interface GatewaySpecAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListeners {
+            namespaces: outputs.gateway.v1.GatewaySpecAllowedListenersNamespaces;
+        }
+
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersNamespaces {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from: string;
+            selector: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelector;
+        }
+
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesPatch {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from: string;
+            selector: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorPatch;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersPatch {
+            namespaces: outputs.gateway.v1.GatewaySpecAllowedListenersNamespacesPatch;
+        }
+
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecInfrastructure {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels: {[key: string]: string};
+            parametersRef: outputs.gateway.v1.GatewaySpecInfrastructureParametersRef;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewaySpecInfrastructureParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewaySpecInfrastructureParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecInfrastructurePatch {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels: {[key: string]: string};
+            parametersRef: outputs.gateway.v1.GatewaySpecInfrastructureParametersRefPatch;
+        }
+
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        export interface GatewaySpecListeners {
+            allowedRoutes: outputs.gateway.v1.GatewaySpecListenersAllowedRoutes;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol: string;
+            tls: outputs.gateway.v1.GatewaySpecListenersTls;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesKinds[];
+            namespaces: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespaces;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewaySpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewaySpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelector;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesKindsPatch[];
+            namespaces: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesNamespacesPatch;
+        }
+
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        export interface GatewaySpecListenersPatch {
+            allowedRoutes: outputs.gateway.v1.GatewaySpecListenersAllowedRoutesPatch;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol: string;
+            tls: outputs.gateway.v1.GatewaySpecListenersTlsPatch;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsCertificateRefs[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1.GatewaySpecListenersTlsCertificateRefsPatch[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+        }
+
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        export interface GatewaySpecPatch {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses: outputs.gateway.v1.GatewaySpecAddressesPatch[];
+            allowedListeners: outputs.gateway.v1.GatewaySpecAllowedListenersPatch;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope: string;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName: string;
+            infrastructure: outputs.gateway.v1.GatewaySpecInfrastructurePatch;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners: outputs.gateway.v1.GatewaySpecListenersPatch[];
+            tls: outputs.gateway.v1.GatewaySpecTlsPatch;
+        }
+
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecTls {
+            backend: outputs.gateway.v1.GatewaySpecTlsBackend;
+            frontend: outputs.gateway.v1.GatewaySpecTlsFrontend;
+        }
+
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackend {
+            clientCertificateRef: outputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRef;
+        }
+
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendClientCertificateRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendClientCertificateRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendPatch {
+            clientCertificateRef: outputs.gateway.v1.GatewaySpecTlsBackendClientCertificateRefPatch;
+        }
+
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontend {
+            default: outputs.gateway.v1.GatewaySpecTlsFrontendDefault;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort: outputs.gateway.v1.GatewaySpecTlsFrontendPerPort[];
+        }
+
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefault {
+            validation: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidation;
+        }
+
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultPatch {
+            validation: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationPatch;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPatch {
+            default: outputs.gateway.v1.GatewaySpecTlsFrontendDefaultPatch;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortPatch[];
+        }
+
+        export interface GatewaySpecTlsFrontendPerPort {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port: number;
+            tls: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTls;
+        }
+
+        export interface GatewaySpecTlsFrontendPerPortPatch {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port: number;
+            tls: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsPatch;
+        }
+
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTls {
+            validation: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidation;
+        }
+
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsPatch {
+            validation: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationPatch;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecTlsPatch {
+            backend: outputs.gateway.v1.GatewaySpecTlsBackendPatch;
+            frontend: outputs.gateway.v1.GatewaySpecTlsFrontendPatch;
+        }
+
+        /**
+         * Status defines the current state of Gateway.
+         */
+        export interface GatewayStatus {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses: outputs.gateway.v1.GatewayStatusAddresses[];
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions: outputs.gateway.v1.GatewayStatusConditions[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1.GatewayStatusListeners[];
+        }
+
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        export interface GatewayStatusAddresses {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        export interface GatewayStatusAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface GatewayStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1.GatewayStatusListenersConditions[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1.GatewayStatusListenersSupportedKinds[];
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusListenersConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface GatewayStatusListenersPatch {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1.GatewayStatusListenersConditionsPatch[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1.GatewayStatusListenersSupportedKindsPatch[];
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewayStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewayStatusListenersSupportedKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * Status defines the current state of Gateway.
+         */
+        export interface GatewayStatusPatch {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses: outputs.gateway.v1.GatewayStatusAddressesPatch[];
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions: outputs.gateway.v1.GatewayStatusConditionsPatch[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1.GatewayStatusListenersPatch[];
+        }
+
+        /**
+         * HTTPRoute provides a way to route HTTP requests. This includes the capability
+         * to match requests by hostname, path, header, or query param. Filters can be
+         * used to specify additional processing steps. Backends specify where matching
+         * requests should be routed.
+         */
+        export interface HTTPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "HTTPRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1.HTTPRouteSpec;
+            status: outputs.gateway.v1.HTTPRouteStatus;
+        }
+
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        export interface HTTPRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1.HTTPRouteSpecParentRefs[];
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1.HTTPRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface HTTPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface HTTPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        export interface HTTPRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1.HTTPRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1.HTTPRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface HTTPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefs[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1.HTTPRouteSpecRulesFilters[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches: outputs.gateway.v1.HTTPRouteSpecRulesMatches[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            retry: outputs.gateway.v1.HTTPRouteSpecRulesRetry;
+            sessionPersistence: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistence;
+            timeouts: outputs.gateway.v1.HTTPRouteSpecRulesTimeouts;
+        }
+
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface HTTPRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFilters[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFilters {
+            cors: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCors;
+            extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef;
+            externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth;
+            requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror;
+            requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect;
+            responseHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef;
+            forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody;
+            grpc: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc;
+            http: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch;
+            forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch;
+            grpc: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch;
+            http: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersPatch {
+            cors: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch;
+            extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch;
+            externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch;
+            requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch;
+            requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch;
+            responseHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsFiltersPatch[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesFilters {
+            cors: outputs.gateway.v1.HTTPRouteSpecRulesFiltersCors;
+            extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRef;
+            externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuth;
+            requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirror;
+            requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirect;
+            responseHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewrite;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuth {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef;
+            forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody;
+            grpc: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpc;
+            http: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttp;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthPatch {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch;
+            forwardBody: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch;
+            grpc: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch;
+            http: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesFiltersPatch {
+            cors: outputs.gateway.v1.HTTPRouteSpecRulesFiltersCorsPatch;
+            extensionRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExtensionRefPatch;
+            externalAuth: outputs.gateway.v1.HTTPRouteSpecRulesFiltersExternalAuthPatch;
+            requestHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorPatch;
+            requestRedirect: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPatch;
+            responseHeaderModifier: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePatch;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirror {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPath;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesFiltersRequestRedirectPathPatch;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePath;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesFiltersUrlRewritePathPatch;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        export interface HTTPRouteSpecRulesMatches {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1.HTTPRouteSpecRulesMatchesHeaders[];
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesMatchesPath;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams: outputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParams[];
+        }
+
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        export interface HTTPRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        export interface HTTPRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        export interface HTTPRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1.HTTPRouteSpecRulesMatchesHeadersPatch[];
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method: string;
+            path: outputs.gateway.v1.HTTPRouteSpecRulesMatchesPathPatch;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams: outputs.gateway.v1.HTTPRouteSpecRulesMatchesQueryParamsPatch[];
+        }
+
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        export interface HTTPRouteSpecRulesMatchesPath {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value: string;
+        }
+
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        export interface HTTPRouteSpecRulesMatchesPathPatch {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        export interface HTTPRouteSpecRulesMatchesQueryParams {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        export interface HTTPRouteSpecRulesMatchesQueryParamsPatch {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface HTTPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1.HTTPRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1.HTTPRouteSpecRulesFiltersPatch[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches: outputs.gateway.v1.HTTPRouteSpecRulesMatchesPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            retry: outputs.gateway.v1.HTTPRouteSpecRulesRetryPatch;
+            sessionPersistence: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistencePatch;
+            timeouts: outputs.gateway.v1.HTTPRouteSpecRulesTimeoutsPatch;
+        }
+
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesRetry {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts: number;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff: string;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes: number[];
+        }
+
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesRetryPatch {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts: number;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff: string;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes: number[];
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistenceCookieConfig;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1.HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesTimeouts {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest: string;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request: string;
+        }
+
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesTimeoutsPatch {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest: string;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request: string;
+        }
+
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        export interface HTTPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1.HTTPRouteStatusParents[];
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface HTTPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1.HTTPRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1.HTTPRouteStatusParentsParentRef;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface HTTPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface HTTPRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface HTTPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface HTTPRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface HTTPRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1.HTTPRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1.HTTPRouteStatusParentsParentRefPatch;
+        }
+
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        export interface HTTPRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1.HTTPRouteStatusParentsPatch[];
+        }
+
+    }
+
+    export namespace v1alpha1 {
+        /**
+         * XBackendTrafficPolicy defines the configuration for how traffic to a
+         * target backend should be handled.
+         */
+        export interface XBackendTrafficPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.x-k8s.io/v1alpha1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "XBackendTrafficPolicy";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha1.XBackendTrafficPolicySpec;
+            status: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatus;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTrafficPolicy.
+         */
+        export interface XBackendTrafficPolicySpec {
+            retryConstraint: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraint;
+            sessionPersistence: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistence;
+            /**
+             * TargetRefs identifies API object(s) to apply this policy to.
+             * Currently, Backends (A grouping of like endpoints such as Service,
+             * ServiceImport, or any implementation-specific backendRef) are the only
+             * valid API target references.
+             *
+             * Currently, a TargetRef can not be scoped to a specific port on a
+             * Service.
+             */
+            targetRefs: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefs[];
+        }
+
+        /**
+         * Spec defines the desired state of BackendTrafficPolicy.
+         */
+        export interface XBackendTrafficPolicySpecPatch {
+            retryConstraint: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintPatch;
+            sessionPersistence: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistencePatch;
+            /**
+             * TargetRefs identifies API object(s) to apply this policy to.
+             * Currently, Backends (A grouping of like endpoints such as Service,
+             * ServiceImport, or any implementation-specific backendRef) are the only
+             * valid API target references.
+             *
+             * Currently, a TargetRef can not be scoped to a specific port on a
+             * Service.
+             */
+            targetRefs: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecTargetRefsPatch[];
+        }
+
+        /**
+         * RetryConstraint defines the configuration for when to allow or prevent
+         * further retries to a target backend, by dynamically calculating a 'retry
+         * budget'. This budget is calculated based on the percentage of incoming
+         * traffic composed of retries over a given time interval. Once the budget
+         * is exceeded, additional retries will be rejected.
+         *
+         * For example, if the retry budget interval is 10 seconds, there have been
+         * 1000 active requests in the past 10 seconds, and the allowed percentage
+         * of requests that can be retried is 20% (the default), then 200 of those
+         * requests may be composed of retries. Active requests will only be
+         * considered for the duration of the interval when calculating the retry
+         * budget. Retrying the same original request multiple times within the
+         * retry budget interval will lead to each retry being counted towards
+         * calculating the budget.
+         *
+         * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+         * HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+         * backend. While the HTTPRouteRule Retry stanza can specify whether a
+         * request will be retried, and the number of retry attempts each client
+         * may perform, RetryConstraint helps prevent cascading failures such as
+         * retry storms during periods of consistent failures.
+         *
+         * After the retry budget has been exceeded, additional retries to the
+         * backend MUST return a 503 response to the client.
+         *
+         * Additional configurations for defining a constraint on retries MAY be
+         * defined in the future.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraint {
+            budget: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudget;
+            minRetryRate: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRate;
+        }
+
+        /**
+         * Budget holds the details of the retry budget configuration.
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintBudget {
+            /**
+             * Interval defines the duration in which requests will be considered
+             * for calculating the budget for retries.
+             *
+             * Support: Extended
+             */
+            interval: string;
+            /**
+             * Percent defines the maximum percentage of active requests that may
+             * be made up of retries.
+             *
+             * Support: Extended
+             */
+            percent: number;
+        }
+
+        /**
+         * Budget holds the details of the retry budget configuration.
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintBudgetPatch {
+            /**
+             * Interval defines the duration in which requests will be considered
+             * for calculating the budget for retries.
+             *
+             * Support: Extended
+             */
+            interval: string;
+            /**
+             * Percent defines the maximum percentage of active requests that may
+             * be made up of retries.
+             *
+             * Support: Extended
+             */
+            percent: number;
+        }
+
+        /**
+         * MinRetryRate defines the minimum rate of retries that will be allowable
+         * over a specified duration of time.
+         *
+         * The effective overall minimum rate of retries targeting the backend
+         * service may be much higher, as there can be any number of clients which
+         * are applying this setting locally.
+         *
+         * This ensures that requests can still be retried during periods of low
+         * traffic, where the budget for retries may be calculated as a very low
+         * value.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintMinRetryRate {
+            /**
+             * Count specifies the number of requests per time interval.
+             *
+             * Support: Extended
+             */
+            count: number;
+            /**
+             * Interval specifies the divisor of the rate of requests, the amount of
+             * time during which the given count of requests occur.
+             *
+             * Support: Extended
+             */
+            interval: string;
+        }
+
+        /**
+         * MinRetryRate defines the minimum rate of retries that will be allowable
+         * over a specified duration of time.
+         *
+         * The effective overall minimum rate of retries targeting the backend
+         * service may be much higher, as there can be any number of clients which
+         * are applying this setting locally.
+         *
+         * This ensures that requests can still be retried during periods of low
+         * traffic, where the budget for retries may be calculated as a very low
+         * value.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch {
+            /**
+             * Count specifies the number of requests per time interval.
+             *
+             * Support: Extended
+             */
+            count: number;
+            /**
+             * Interval specifies the divisor of the rate of requests, the amount of
+             * time during which the given count of requests occur.
+             *
+             * Support: Extended
+             */
+            interval: string;
+        }
+
+        /**
+         * RetryConstraint defines the configuration for when to allow or prevent
+         * further retries to a target backend, by dynamically calculating a 'retry
+         * budget'. This budget is calculated based on the percentage of incoming
+         * traffic composed of retries over a given time interval. Once the budget
+         * is exceeded, additional retries will be rejected.
+         *
+         * For example, if the retry budget interval is 10 seconds, there have been
+         * 1000 active requests in the past 10 seconds, and the allowed percentage
+         * of requests that can be retried is 20% (the default), then 200 of those
+         * requests may be composed of retries. Active requests will only be
+         * considered for the duration of the interval when calculating the retry
+         * budget. Retrying the same original request multiple times within the
+         * retry budget interval will lead to each retry being counted towards
+         * calculating the budget.
+         *
+         * Configuring a RetryConstraint in BackendTrafficPolicy is compatible with
+         * HTTPRoute Retry settings for each HTTPRouteRule that targets the same
+         * backend. While the HTTPRouteRule Retry stanza can specify whether a
+         * request will be retried, and the number of retry attempts each client
+         * may perform, RetryConstraint helps prevent cascading failures such as
+         * retry storms during periods of consistent failures.
+         *
+         * After the retry budget has been exceeded, additional retries to the
+         * backend MUST return a 503 response to the client.
+         *
+         * Additional configurations for defining a constraint on retries MAY be
+         * defined in the future.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecRetryConstraintPatch {
+            budget: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintBudgetPatch;
+            minRetryRate: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecRetryConstraintMinRetryRatePatch;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the backend.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfig;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface XBackendTrafficPolicySpecSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the backend.
+         *
+         * Support: Extended
+         */
+        export interface XBackendTrafficPolicySpecSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1alpha1.XBackendTrafficPolicySpecSessionPersistenceCookieConfigPatch;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+
+        /**
+         * LocalPolicyTargetReference identifies an API object to apply a direct or
+         * inherited policy to. This should be used as part of Policy resources
+         * that can target Gateway API resources. For more information on how this
+         * policy attachment model works, and a sample Policy resource, refer to
+         * the policy attachment documentation for Gateway API.
+         */
+        export interface XBackendTrafficPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+        }
+
+        /**
+         * LocalPolicyTargetReference identifies an API object to apply a direct or
+         * inherited policy to. This should be used as part of Policy resources
+         * that can target Gateway API resources. For more information on how this
+         * policy attachment model works, and a sample Policy resource, refer to
+         * the policy attachment documentation for Gateway API.
+         */
+        export interface XBackendTrafficPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+        }
+
+        /**
+         * Status defines the current state of BackendTrafficPolicy.
+         */
+        export interface XBackendTrafficPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestors[];
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface XBackendTrafficPolicyStatusAncestors {
+            ancestorRef: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRef;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface XBackendTrafficPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface XBackendTrafficPolicyStatusAncestorsAncestorRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XBackendTrafficPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XBackendTrafficPolicyStatusAncestorsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface XBackendTrafficPolicyStatusAncestorsPatch {
+            ancestorRef: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsAncestorRefPatch;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+
+        /**
+         * Status defines the current state of BackendTrafficPolicy.
+         */
+        export interface XBackendTrafficPolicyStatusPatch {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1alpha1.XBackendTrafficPolicyStatusAncestorsPatch[];
+        }
+
+        /**
+         * XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+         * This resource provides a mechanism to merge multiple listeners into a single Gateway.
+         *
+         * The parent Gateway must explicitly allow ListenerSet attachment through its
+         * AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+         * attachment.
+         *
+         * Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+         * optionally target specific listeners using the sectionName field.
+         *
+         * Policy Attachment:
+         * - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+         * - Policies do not impact listeners in the parent Gateway
+         * - Different ListenerSets attached to the same Gateway can have different policies
+         * - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+         *
+         * ReferenceGrant Semantics:
+         * - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+         * - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+         * - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+         *
+         * Gateway Integration:
+         * - The parent Gateway's status will include an "AttachedListenerSets" condition
+         * - This condition will be:
+         *   - True: when AllowedListeners is set and at least one child ListenerSet is attached
+         *   - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+         *   - Unknown: when no AllowedListeners config is present
+         */
+        export interface XListenerSet {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.x-k8s.io/v1alpha1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "XListenerSet";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha1.XListenerSetSpec;
+            status: outputs.gateway.v1alpha1.XListenerSetStatus;
+        }
+
+        /**
+         * Spec defines the desired state of ListenerSet.
+         */
+        export interface XListenerSetSpec {
+            /**
+             * Listeners associated with this ListenerSet. Listeners define
+             * logical endpoints that are bound on this referenced parent Gateway's addresses.
+             *
+             * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+             * as a list when programming the underlying infrastructure. Each listener
+             * name does not need to be unique across the Gateway and ListenerSets.
+             * See ListenerEntry.Name for more details.
+             *
+             * Implementations MUST treat the parent Gateway as having the merged
+             * list of all listeners from itself and attached ListenerSets using
+             * the following precedence:
+             *
+             * 1. "parent" Gateway
+             * 2. ListenerSet ordered by creation time (oldest first)
+             * 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+             *
+             * An implementation MAY reject listeners by setting the ListenerEntryStatus
+             * `Accepted` condition to False with the Reason `TooManyListeners`
+             *
+             * If a listener has a conflict, this will be reported in the
+             * Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+             *
+             * Implementations SHOULD be cautious about what information from the
+             * parent or siblings are reported to avoid accidentally leaking
+             * sensitive information that the child would not otherwise have access
+             * to. This can include contents of secrets etc.
+             */
+            listeners: outputs.gateway.v1alpha1.XListenerSetSpecListeners[];
+            parentRef: outputs.gateway.v1alpha1.XListenerSetSpecParentRef;
+        }
+
+        export interface XListenerSetSpecListeners {
+            allowedRoutes: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutes;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+             *   protocol layers as described above. If an implementation does not
+             *   ensure that both the SNI and Host header match the Listener hostname,
+             *   it MUST clearly document that.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * ListenerSet.
+             *
+             * Name is not required to be unique across a Gateway and ListenerSets.
+             * Routes can attach to a Listener by having a ListenerSet as a parentRef
+             * and setting the SectionName
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * If the port is not set or specified as zero, the implementation will assign
+             * a unique port. If the implementation does not support dynamic port
+             * assignment, it MUST set `Accepted` condition to `False` with the
+             * `UnsupportedPort` reason.
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             */
+            protocol: string;
+            tls: outputs.gateway.v1alpha1.XListenerSetSpecListenersTls;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKinds[];
+            namespaces: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespaces;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelector;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         */
+        export interface XListenerSetSpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesKindsPatch[];
+            namespaces: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesNamespacesPatch;
+        }
+
+        export interface XListenerSetSpecListenersPatch {
+            allowedRoutes: outputs.gateway.v1alpha1.XListenerSetSpecListenersAllowedRoutesPatch;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+             *   protocol layers as described above. If an implementation does not
+             *   ensure that both the SNI and Host header match the Listener hostname,
+             *   it MUST clearly document that.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * ListenerSet.
+             *
+             * Name is not required to be unique across a Gateway and ListenerSets.
+             * Routes can attach to a Listener by having a ListenerSet as a parentRef
+             * and setting the SectionName
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * If the port is not set or specified as zero, the implementation will assign
+             * a unique port. If the implementation does not support dynamic port
+             * assignment, it MUST set `Accepted` condition to `False` with the
+             * `UnsupportedPort` reason.
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             */
+            protocol: string;
+            tls: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsPatch;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         */
+        export interface XListenerSetSpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefs[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface XListenerSetSpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface XListenerSetSpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         */
+        export interface XListenerSetSpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1alpha1.XListenerSetSpecListenersTlsCertificateRefsPatch[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+        }
+
+        /**
+         * ParentRef references the Gateway that the listeners are attached to.
+         */
+        export interface XListenerSetSpecParentRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Gateway".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.  If not present,
+             * the namespace of the referent is assumed to be the same as
+             * the namespace of the referring object.
+             */
+            namespace: string;
+        }
+
+        /**
+         * ParentRef references the Gateway that the listeners are attached to.
+         */
+        export interface XListenerSetSpecParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Gateway".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.  If not present,
+             * the namespace of the referent is assumed to be the same as
+             * the namespace of the referring object.
+             */
+            namespace: string;
+        }
+
+        /**
+         * Spec defines the desired state of ListenerSet.
+         */
+        export interface XListenerSetSpecPatch {
+            /**
+             * Listeners associated with this ListenerSet. Listeners define
+             * logical endpoints that are bound on this referenced parent Gateway's addresses.
+             *
+             * Listeners in a `Gateway` and their attached `ListenerSets` are concatenated
+             * as a list when programming the underlying infrastructure. Each listener
+             * name does not need to be unique across the Gateway and ListenerSets.
+             * See ListenerEntry.Name for more details.
+             *
+             * Implementations MUST treat the parent Gateway as having the merged
+             * list of all listeners from itself and attached ListenerSets using
+             * the following precedence:
+             *
+             * 1. "parent" Gateway
+             * 2. ListenerSet ordered by creation time (oldest first)
+             * 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
+             *
+             * An implementation MAY reject listeners by setting the ListenerEntryStatus
+             * `Accepted` condition to False with the Reason `TooManyListeners`
+             *
+             * If a listener has a conflict, this will be reported in the
+             * Status.ListenerEntryStatus setting the `Conflicted` condition to True.
+             *
+             * Implementations SHOULD be cautious about what information from the
+             * parent or siblings are reported to avoid accidentally leaking
+             * sensitive information that the child would not otherwise have access
+             * to. This can include contents of secrets etc.
+             */
+            listeners: outputs.gateway.v1alpha1.XListenerSetSpecListenersPatch[];
+            parentRef: outputs.gateway.v1alpha1.XListenerSetSpecParentRefPatch;
+        }
+
+        /**
+         * Status defines the current state of ListenerSet.
+         */
+        export interface XListenerSetStatus {
+            /**
+             * Conditions describe the current conditions of the ListenerSet.
+             *
+             * Implementations MUST express ListenerSet conditions using the
+             * `ListenerSetConditionType` and `ListenerSetConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe ListenerSet state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             */
+            conditions: outputs.gateway.v1alpha1.XListenerSetStatusConditions[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1alpha1.XListenerSetStatusListeners[];
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XListenerSetStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XListenerSetStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface XListenerSetStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1alpha1.XListenerSetStatusListenersConditions[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * Port is the network port the listener is configured to listen on.
+             */
+            port: number;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKinds[];
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XListenerSetStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XListenerSetStatusListenersConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface XListenerSetStatusListenersPatch {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1alpha1.XListenerSetStatusListenersConditionsPatch[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * Port is the network port the listener is configured to listen on.
+             */
+            port: number;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1alpha1.XListenerSetStatusListenersSupportedKindsPatch[];
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface XListenerSetStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface XListenerSetStatusListenersSupportedKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * Status defines the current state of ListenerSet.
+         */
+        export interface XListenerSetStatusPatch {
+            /**
+             * Conditions describe the current conditions of the ListenerSet.
+             *
+             * Implementations MUST express ListenerSet conditions using the
+             * `ListenerSetConditionType` and `ListenerSetConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe ListenerSet state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             */
+            conditions: outputs.gateway.v1alpha1.XListenerSetStatusConditionsPatch[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1alpha1.XListenerSetStatusListenersPatch[];
+        }
+
+        /**
+         * XMesh defines mesh-wide characteristics of a GAMMA-compliant service mesh.
+         */
+        export interface XMesh {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.x-k8s.io/v1alpha1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "XMesh";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha1.XMeshSpec;
+            status: outputs.gateway.v1alpha1.XMeshStatus;
+        }
+
+        /**
+         * Spec defines the desired state of XMesh.
+         */
+        export interface XMeshSpec {
+            /**
+             * ControllerName is the name of a controller that is managing Gateway API
+             * resources for mesh traffic management. The value of this field MUST be a
+             * domain prefixed path.
+             *
+             * Example: "example.com/awesome-mesh".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description optionally provides a human-readable description of a Mesh.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1alpha1.XMeshSpecParametersRef;
+        }
+
+        /**
+         * ParametersRef is an optional reference to a resource that contains
+         * implementation-specific configuration for this Mesh. If no
+         * implementation-specific parameters are needed, this field MUST be
+         * omitted.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e.
+         * ConfigMap, or an implementation-specific custom resource. The resource
+         * can be cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Mesh MUST be rejected
+         * with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface XMeshSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+
+        /**
+         * ParametersRef is an optional reference to a resource that contains
+         * implementation-specific configuration for this Mesh. If no
+         * implementation-specific parameters are needed, this field MUST be
+         * omitted.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e.
+         * ConfigMap, or an implementation-specific custom resource. The resource
+         * can be cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Mesh MUST be rejected
+         * with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface XMeshSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+
+        /**
+         * Spec defines the desired state of XMesh.
+         */
+        export interface XMeshSpecPatch {
+            /**
+             * ControllerName is the name of a controller that is managing Gateway API
+             * resources for mesh traffic management. The value of this field MUST be a
+             * domain prefixed path.
+             *
+             * Example: "example.com/awesome-mesh".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description optionally provides a human-readable description of a Mesh.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1alpha1.XMeshSpecParametersRefPatch;
+        }
+
+        /**
+         * Status defines the current state of XMesh.
+         */
+        export interface XMeshStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this Mesh.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of MeshConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1alpha1.XMeshStatusConditions[];
+            /**
+             * SupportedFeatures is the set of features the Mesh support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1alpha1.XMeshStatusSupportedFeatures[];
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XMeshStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface XMeshStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Status defines the current state of XMesh.
+         */
+        export interface XMeshStatusPatch {
+            /**
+             * Conditions is the current status from the controller for
+             * this Mesh.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of MeshConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1alpha1.XMeshStatusConditionsPatch[];
+            /**
+             * SupportedFeatures is the set of features the Mesh support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1alpha1.XMeshStatusSupportedFeaturesPatch[];
+        }
+
+        export interface XMeshStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+
+        export interface XMeshStatusSupportedFeaturesPatch {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+
+    }
+
+    export namespace v1alpha2 {
+        /**
+         * TCPRoute provides a way to route TCP requests. When combined with a Gateway
+         * listener, it can be used to forward connections on the port specified by the
+         * listener to a set of backends specified by the TCPRoute.
+         */
+        export interface TCPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha2";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "TCPRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha2.TCPRouteSpec;
+            status: outputs.gateway.v1alpha2.TCPRouteStatus;
+        }
+
+        /**
+         * Spec defines the desired state of TCPRoute.
+         */
+        export interface TCPRouteSpec {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.TCPRouteSpecParentRefs[];
+            /**
+             * Rules are a list of TCP matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.TCPRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TCPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TCPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Spec defines the desired state of TCPRoute.
+         */
+        export interface TCPRouteSpecPatch {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.TCPRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of TCP matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.TCPRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * TCPRouteRule is the configuration for a given rule.
+         */
+        export interface TCPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Connection rejections must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * connections, then 80% of connections must be rejected instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefs[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TCPRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TCPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * TCPRouteRule is the configuration for a given rule.
+         */
+        export interface TCPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Connection rejections must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * connections, then 80% of connections must be rejected instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.TCPRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+
+        /**
+         * Status defines the current state of TCPRoute.
+         */
+        export interface TCPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.TCPRouteStatusParents[];
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TCPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.TCPRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.TCPRouteStatusParentsParentRef;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TCPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TCPRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TCPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TCPRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TCPRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.TCPRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.TCPRouteStatusParentsParentRefPatch;
+        }
+
+        /**
+         * Status defines the current state of TCPRoute.
+         */
+        export interface TCPRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.TCPRouteStatusParentsPatch[];
+        }
+
+        /**
+         * The TLSRoute resource is similar to TCPRoute, but can be configured
+         * to match against TLS-specific metadata. This allows more flexibility
+         * in matching streams for a given TLS listener.
+         *
+         * If you need to forward traffic to a single target for a TLS listener, you
+         * could choose to use a TCPRoute with a TLS listener.
+         */
+        export interface TLSRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha2";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "TLSRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha2.TLSRouteSpec;
+            status: outputs.gateway.v1alpha2.TLSRouteStatus;
+        }
+
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        export interface TLSRouteSpec {
+            /**
+             * Hostnames defines a set of SNI names that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI names per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.TLSRouteSpecParentRefs[];
+            /**
+             * Rules are a list of TLS matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.TLSRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TLSRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TLSRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        export interface TLSRouteSpecPatch {
+            /**
+             * Hostnames defines a set of SNI names that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI names per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `test.example.com` and `*.example.com` would both match. On the other
+             *   hand, `example.com` and `test.example.net` would not match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.TLSRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of TLS matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.TLSRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        export interface TLSRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefs[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TLSRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TLSRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        export interface TLSRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.TLSRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        export interface TLSRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.TLSRouteStatusParents[];
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TLSRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.TLSRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.TLSRouteStatusParentsParentRef;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TLSRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TLSRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TLSRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TLSRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TLSRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.TLSRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.TLSRouteStatusParentsParentRefPatch;
+        }
+
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        export interface TLSRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.TLSRouteStatusParentsPatch[];
+        }
+
+        /**
+         * UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+         * listener, it can be used to forward traffic on the port specified by the
+         * listener to a set of backends specified by the UDPRoute.
+         */
+        export interface UDPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha2";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "UDPRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha2.UDPRouteSpec;
+            status: outputs.gateway.v1alpha2.UDPRouteStatus;
+        }
+
+        /**
+         * Spec defines the desired state of UDPRoute.
+         */
+        export interface UDPRouteSpec {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.UDPRouteSpecParentRefs[];
+            /**
+             * Rules are a list of UDP matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.UDPRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface UDPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface UDPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Spec defines the desired state of UDPRoute.
+         */
+        export interface UDPRouteSpecPatch {
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha2.UDPRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of UDP matchers and actions.
+             */
+            rules: outputs.gateway.v1alpha2.UDPRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * UDPRouteRule is the configuration for a given rule.
+         */
+        export interface UDPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Packet drops must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * the packets, then 80% of packets must be dropped instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefs[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface UDPRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface UDPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * UDPRouteRule is the configuration for a given rule.
+         */
+        export interface UDPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or a
+             * Service with no endpoints), the underlying implementation MUST actively
+             * reject connection attempts to this backend. Packet drops must
+             * respect weight; if an invalid backend is requested to have 80% of
+             * the packets, then 80% of packets must be dropped instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha2.UDPRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+
+        /**
+         * Status defines the current state of UDPRoute.
+         */
+        export interface UDPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.UDPRouteStatusParents[];
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface UDPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.UDPRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.UDPRouteStatusParentsParentRef;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface UDPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface UDPRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface UDPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface UDPRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface UDPRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha2.UDPRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha2.UDPRouteStatusParentsParentRefPatch;
+        }
+
+        /**
+         * Status defines the current state of UDPRoute.
+         */
+        export interface UDPRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha2.UDPRouteStatusParentsPatch[];
+        }
+
+    }
+
+    export namespace v1alpha3 {
+        /**
+         * BackendTLSPolicy provides a way to configure how a Gateway
+         * connects to a Backend via TLS.
+         */
+        export interface BackendTLSPolicy {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha3";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "BackendTLSPolicy";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha3.BackendTLSPolicySpec;
+            status: outputs.gateway.v1alpha3.BackendTLSPolicyStatus;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicySpec {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefs[];
+            validation: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidation;
+        }
+
+        /**
+         * Spec defines the desired state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicySpecPatch {
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+            /**
+             * TargetRefs identifies an API object to apply the policy to.
+             * Only Services have Extended support. Implementations MAY support
+             * additional objects, with Implementation Specific support.
+             * Note that this config applies to the entire referenced resource
+             * by default, but this default may change in the future to provide
+             * a more granular application of the policy.
+             *
+             * TargetRefs must be _distinct_. This means either that:
+             *
+             * * They select different targets. If this is the case, then targetRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, and `name` must
+             *   be unique across all targetRef entries in the BackendTLSPolicy.
+             * * They select different sectionNames in the same target.
+             *
+             * When more than one BackendTLSPolicy selects the same target and
+             * sectionName, implementations MUST determine precedence using the
+             * following criteria, continuing on ties:
+             *
+             * * The older policy by creation timestamp takes precedence. For
+             *   example, a policy with a creation timestamp of "2021-07-15
+             *   01:02:03" MUST be given precedence over a policy with a
+             *   creation timestamp of "2021-07-15 01:02:04".
+             * * The policy appearing first in alphabetical order by {name}.
+             *   For example, a policy named `bar` is given precedence over a
+             *   policy named `baz`.
+             *
+             * For any BackendTLSPolicy that does not take precedence, the
+             * implementation MUST ensure the `Accepted` Condition is set to
+             * `status: False`, with Reason `Conflicted`.
+             *
+             * Support: Extended for Kubernetes Service
+             *
+             * Support: Implementation-specific for any other resource
+             */
+            targetRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecTargetRefsPatch[];
+            validation: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationPatch;
+        }
+
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        export interface BackendTLSPolicySpecTargetRefs {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName: string;
+        }
+
+        /**
+         * LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+         * direct policy to. This should be used as part of Policy resources that can
+         * target single resources. For more information on how this policy attachment
+         * mode works, and a sample Policy resource, refer to the policy attachment
+         * documentation for Gateway API.
+         *
+         * Note: This should only be used for direct policy attachment when references
+         * to SectionName are actually needed. In all other cases,
+         * LocalPolicyTargetReference should be used.
+         */
+        export interface BackendTLSPolicySpecTargetRefsPatch {
+            /**
+             * Group is the group of the target resource.
+             */
+            group: string;
+            /**
+             * Kind is kind of the target resource.
+             */
+            kind: string;
+            /**
+             * Name is the name of the target resource.
+             */
+            name: string;
+            /**
+             * SectionName is the name of a section within the target resource. When
+             * unspecified, this targetRef targets the entire resource. In the following
+             * resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name
+             * * HTTPRoute: HTTPRouteRule name
+             * * Service: Port name
+             *
+             * If a SectionName is specified, but does not exist on the targeted object,
+             * the Policy must fail to attach, and the policy implementation should record
+             * a `ResolvedRefs` or similar Condition in the Policy's status.
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        export interface BackendTLSPolicySpecValidation {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefs[];
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNames[];
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates: string;
+        }
+
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface BackendTLSPolicySpecValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * LocalObjectReference identifies an API object within the namespace of the
+         * referrer.
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface BackendTLSPolicySpecValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * Validation contains backend TLS validation configuration.
+         */
+        export interface BackendTLSPolicySpecValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to Kubernetes objects that
+             * contain a PEM-encoded TLS CA certificate bundle, which is used to
+             * validate a TLS handshake between the Gateway and backend Pod.
+             *
+             * If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+             * specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+             * not both. If CACertificateRefs is empty or unspecified, the configuration for
+             * WellKnownCACertificates MUST be honored instead if supported by the implementation.
+             *
+             * A CACertificateRef is invalid if:
+             *
+             * * It refers to a resource that cannot be resolved (e.g., the referenced resource
+             *   does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+             *   named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+             *   and the Message of the Condition must indicate which reference is invalid and why.
+             *
+             * * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+             *   must be set to `InvalidKind` and the Message of the Condition must explain which
+             *   kind of resource is unknown or unsupported.
+             *
+             * * It refers to a resource in another namespace. This may change in future
+             *   spec updates.
+             *
+             * Implementations MAY choose to perform further validation of the certificate
+             * content (e.g., checking expiry or enforcing specific formats). In such cases,
+             * an implementation-specific Reason and Message must be set for the invalid reference.
+             *
+             * In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+             * the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+             * that indicate the cause of the error. Connections using an invalid
+             * CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+             * response. If ALL CACertificateRefs are invalid, the implementation MUST also
+             * ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+             * `status: False`, with a Reason `NoValidCACertificate`.
+             *
+             * A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a backend, but this behavior is implementation-specific.
+             *
+             * Support: Core - An optional single reference to a Kubernetes ConfigMap,
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific - More than one reference, other kinds
+             * of resources, or a single reference that includes multiple certificates.
+             */
+            caCertificateRefs: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationCaCertificateRefsPatch[];
+            /**
+             * Hostname is used for two purposes in the connection between Gateways and
+             * backends:
+             *
+             * 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+             * 2. Hostname MUST be used for authentication and MUST match the certificate
+             *    served by the matching backend, unless SubjectAltNames is specified.
+             * 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+             *    but MUST NOT be used for authentication. If you want to use the value
+             *    of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * SubjectAltNames contains one or more Subject Alternative Names.
+             * When specified the certificate served from the backend MUST
+             * have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+             *
+             * Support: Extended
+             */
+            subjectAltNames: outputs.gateway.v1alpha3.BackendTLSPolicySpecValidationSubjectAltNamesPatch[];
+            /**
+             * WellKnownCACertificates specifies whether system CA certificates may be used in
+             * the TLS handshake between the gateway and backend pod.
+             *
+             * If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+             * must be specified with at least one entry for a valid configuration. Only one of
+             * CACertificateRefs or WellKnownCACertificates may be specified, not both.
+             * If an implementation does not support the WellKnownCACertificates field, or
+             * the supplied value is not recognized, the implementation MUST ensure the
+             * `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+             * a Reason `Invalid`.
+             *
+             * Support: Implementation-specific
+             */
+            wellKnownCACertificates: string;
+        }
+
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        export interface BackendTLSPolicySpecValidationSubjectAltNames {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type: string;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri: string;
+        }
+
+        /**
+         * SubjectAltName represents Subject Alternative Name.
+         */
+        export interface BackendTLSPolicySpecValidationSubjectAltNamesPatch {
+            /**
+             * Hostname contains Subject Alternative Name specified in DNS name format.
+             * Required when Type is set to Hostname, ignored otherwise.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Type determines the format of the Subject Alternative Name. Always required.
+             *
+             * Support: Core
+             */
+            type: string;
+            /**
+             * URI contains Subject Alternative Name specified in a full URI format.
+             * It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+             * Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+             * Required when Type is set to URI, ignored otherwise.
+             *
+             * Support: Core
+             */
+            uri: string;
+        }
+
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicyStatus {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestors[];
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface BackendTLSPolicyStatusAncestors {
+            ancestorRef: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsAncestorRef;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface BackendTLSPolicyStatusAncestorsAncestorRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * AncestorRef corresponds with a ParentRef in the spec that this
+         * PolicyAncestorStatus struct describes the status of.
+         */
+        export interface BackendTLSPolicyStatusAncestorsAncestorRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface BackendTLSPolicyStatusAncestorsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface BackendTLSPolicyStatusAncestorsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * PolicyAncestorStatus describes the status of a route with respect to an
+         * associated Ancestor.
+         *
+         * Ancestors refer to objects that are either the Target of a policy or above it
+         * in terms of object hierarchy. For example, if a policy targets a Service, the
+         * Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+         * the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+         * useful object to place Policy status on, so we recommend that implementations
+         * SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+         * have a _very_ good reason otherwise.
+         *
+         * In the context of policy attachment, the Ancestor is used to distinguish which
+         * resource results in a distinct application of this policy. For example, if a policy
+         * targets a Service, it may have a distinct result per attached Gateway.
+         *
+         * Policies targeting the same resource may have different effects depending on the
+         * ancestors of those resources. For example, different Gateways targeting the same
+         * Service may have different capabilities, especially if they have different underlying
+         * implementations.
+         *
+         * For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+         * used as a backend in a HTTPRoute that is itself attached to a Gateway.
+         * In this case, the relevant object for status is the Gateway, and that is the
+         * ancestor object referred to in this status.
+         *
+         * Note that a parent is also an ancestor, so for objects where the parent is the
+         * relevant object for status, this struct SHOULD still be used.
+         *
+         * This struct is intended to be used in a slice that's effectively a map,
+         * with a composite key made up of the AncestorRef and the ControllerName.
+         */
+        export interface BackendTLSPolicyStatusAncestorsPatch {
+            ancestorRef: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsAncestorRefPatch;
+            /**
+             * Conditions describes the status of the Policy with respect to the given Ancestor.
+             */
+            conditions: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+        }
+
+        /**
+         * Status defines the current state of BackendTLSPolicy.
+         */
+        export interface BackendTLSPolicyStatusPatch {
+            /**
+             * Ancestors is a list of ancestor resources (usually Gateways) that are
+             * associated with the policy, and the status of the policy with respect to
+             * each ancestor. When this policy attaches to a parent, the controller that
+             * manages the parent and the ancestors MUST add an entry to this list when
+             * the controller first sees the policy and SHOULD update the entry as
+             * appropriate when the relevant ancestor is modified.
+             *
+             * Note that choosing the relevant ancestor is left to the Policy designers;
+             * an important part of Policy design is designing the right object level at
+             * which to namespace this status.
+             *
+             * Note also that implementations MUST ONLY populate ancestor status for
+             * the Ancestor resources they are responsible for. Implementations MUST
+             * use the ControllerName field to uniquely identify the entries in this list
+             * that they are responsible for.
+             *
+             * Note that to achieve this, the list of PolicyAncestorStatus structs
+             * MUST be treated as a map with a composite key, made up of the AncestorRef
+             * and ControllerName fields combined.
+             *
+             * A maximum of 16 ancestors will be represented in this list. An empty list
+             * means the Policy is not relevant for any ancestors.
+             *
+             * If this slice is full, implementations MUST NOT add further entries.
+             * Instead they MUST consider the policy unimplementable and signal that
+             * on any related resources such as the ancestor that would be referenced
+             * here. For example, if this list was full on BackendTLSPolicy, no
+             * additional Gateways would be able to reference the Service targeted by
+             * the BackendTLSPolicy.
+             */
+            ancestors: outputs.gateway.v1alpha3.BackendTLSPolicyStatusAncestorsPatch[];
+        }
+
+        /**
+         * The TLSRoute resource is similar to TCPRoute, but can be configured
+         * to match against TLS-specific metadata. This allows more flexibility
+         * in matching streams for a given TLS listener.
+         *
+         * If you need to forward traffic to a single target for a TLS listener, you
+         * could choose to use a TCPRoute with a TLS listener.
+         */
+        export interface TLSRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1alpha3";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "TLSRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1alpha3.TLSRouteSpec;
+            status: outputs.gateway.v1alpha3.TLSRouteStatus;
+        }
+
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        export interface TLSRouteSpec {
+            /**
+             * Hostnames defines a set of SNI hostnames that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI hostnames per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one of `test.example.com` or
+             *   `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one hostname that matches the Listener
+             *   hostname. For example, `test.example.com` and `*.example.com` would both
+             *   match. On the other hand, `example.com` and `test.example.net` would not
+             *   match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha3.TLSRouteSpecParentRefs[];
+            /**
+             * Rules are a list of actions.
+             */
+            rules: outputs.gateway.v1alpha3.TLSRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TLSRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface TLSRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Spec defines the desired state of TLSRoute.
+         */
+        export interface TLSRouteSpecPatch {
+            /**
+             * Hostnames defines a set of SNI hostnames that should match against the
+             * SNI attribute of TLS ClientHello message in TLS handshake. This matches
+             * the RFC 1123 definition of a hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed in SNI hostnames per RFC 6066.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and TLSRoute, there
+             * must be at least one intersecting hostname for the TLSRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one of `test.example.com` or
+             *   `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches TLSRoutes
+             *   that have specified at least one hostname that matches the Listener
+             *   hostname. For example, `test.example.com` and `*.example.com` would both
+             *   match. On the other hand, `example.com` and `test.example.net` would not
+             *   match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, any
+             * TLSRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * TLSRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and TLSRoute have specified hostnames, and none
+             * match with the criteria above, then the TLSRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1alpha3.TLSRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of actions.
+             */
+            rules: outputs.gateway.v1alpha3.TLSRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        export interface TLSRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefs[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TLSRouteSpecRulesBackendRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * BackendRef defines how a Route should forward a request to a Kubernetes
+         * resource.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         *
+         *
+         * Note that when the BackendTLSPolicy object is enabled by the implementation,
+         * there are some extra rules about validity to consider here. See the fields
+         * where this struct is used for more information about the exact behavior.
+         */
+        export interface TLSRouteSpecRulesBackendRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * TLSRouteRule is the configuration for a given rule.
+         */
+        export interface TLSRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent. If unspecified or invalid (refers to a nonexistent resource or
+             * a Service with no endpoints), the rule performs no forwarding; if no
+             * filters are specified that would result in a response being sent, the
+             * underlying implementation must actively reject request attempts to this
+             * backend, by rejecting the connection or returning a 500 status code.
+             * Request rejections must respect weight; if an invalid backend is
+             * requested to have 80% of requests, then 80% of requests must be rejected
+             * instead.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Extended
+             */
+            backendRefs: outputs.gateway.v1alpha3.TLSRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+        }
+
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        export interface TLSRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha3.TLSRouteStatusParents[];
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TLSRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha3.TLSRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha3.TLSRouteStatusParentsParentRef;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TLSRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface TLSRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TLSRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface TLSRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface TLSRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1alpha3.TLSRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1alpha3.TLSRouteStatusParentsParentRefPatch;
+        }
+
+        /**
+         * Status defines the current state of TLSRoute.
+         */
+        export interface TLSRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1alpha3.TLSRouteStatusParentsPatch[];
+        }
+
+    }
+
+    export namespace v1beta1 {
+        /**
+         * Gateway represents an instance of a service-traffic handling infrastructure
+         * by binding Listeners to a set of IP addresses.
+         */
+        export interface Gateway {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1beta1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "Gateway";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1beta1.GatewaySpec;
+            status: outputs.gateway.v1beta1.GatewayStatus;
+        }
+
+        /**
+         * GatewayClass describes a class of Gateways available to the user for creating
+         * Gateway resources.
+         *
+         * It is recommended that this resource be used as a template for Gateways. This
+         * means that a Gateway is based on the state of the GatewayClass at the time it
+         * was created and changes to the GatewayClass or associated parameters are not
+         * propagated down to existing Gateways. This recommendation is intended to
+         * limit the blast radius of changes to GatewayClass or associated parameters.
+         * If implementations choose to propagate GatewayClass changes to existing
+         * Gateways, that MUST be clearly documented by the implementation.
+         *
+         * Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+         * add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+         * associated GatewayClass. This ensures that a GatewayClass associated with a
+         * Gateway is not deleted while in use.
+         *
+         * GatewayClass is a Cluster level resource.
+         */
+        export interface GatewayClass {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1beta1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "GatewayClass";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1beta1.GatewayClassSpec;
+            status: outputs.gateway.v1beta1.GatewayClassStatus;
+        }
+
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        export interface GatewayClassSpec {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1beta1.GatewayClassSpecParametersRef;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewayClassSpecParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the GatewayClass. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+         * or an implementation-specific custom resource. The resource can be
+         * cluster-scoped or namespace-scoped.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the GatewayClass SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewayClassSpecParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent.
+             * This field is required when referring to a Namespace-scoped resource and
+             * MUST be unset when referring to a Cluster-scoped resource.
+             */
+            namespace: string;
+        }
+
+        /**
+         * Spec defines the desired state of GatewayClass.
+         */
+        export interface GatewayClassSpecPatch {
+            /**
+             * ControllerName is the name of the controller that is managing Gateways of
+             * this class. The value of this field MUST be a domain prefixed path.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * This field is not mutable and cannot be empty.
+             *
+             * Support: Core
+             */
+            controllerName: string;
+            /**
+             * Description helps describe a GatewayClass with more details.
+             */
+            description: string;
+            parametersRef: outputs.gateway.v1beta1.GatewayClassSpecParametersRefPatch;
+        }
+
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        export interface GatewayClassStatus {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1beta1.GatewayClassStatusConditions[];
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1beta1.GatewayClassStatusSupportedFeatures[];
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayClassStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayClassStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Status defines the current state of GatewayClass.
+         *
+         * Implementations MUST populate status on all GatewayClass resources which
+         * specify their controller name.
+         */
+        export interface GatewayClassStatusPatch {
+            /**
+             * Conditions is the current status from the controller for
+             * this GatewayClass.
+             *
+             * Controllers should prefer to publish conditions using values
+             * of GatewayClassConditionType for the type of each Condition.
+             */
+            conditions: outputs.gateway.v1beta1.GatewayClassStatusConditionsPatch[];
+            /**
+             * SupportedFeatures is the set of features the GatewayClass support.
+             * It MUST be sorted in ascending alphabetical order by the Name key.
+             */
+            supportedFeatures: outputs.gateway.v1beta1.GatewayClassStatusSupportedFeaturesPatch[];
+        }
+
+        export interface GatewayClassStatusSupportedFeatures {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+
+        export interface GatewayClassStatusSupportedFeaturesPatch {
+            /**
+             * FeatureName is used to describe distinct features that are covered by
+             * conformance tests.
+             */
+            name: string;
+        }
+
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        export interface GatewaySpec {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses: outputs.gateway.v1beta1.GatewaySpecAddresses[];
+            allowedListeners: outputs.gateway.v1beta1.GatewaySpecAllowedListeners;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope: string;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName: string;
+            infrastructure: outputs.gateway.v1beta1.GatewaySpecInfrastructure;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners: outputs.gateway.v1beta1.GatewaySpecListeners[];
+            tls: outputs.gateway.v1beta1.GatewaySpecTls;
+        }
+
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        export interface GatewaySpecAddresses {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+
+        /**
+         * GatewaySpecAddress describes an address that can be bound to a Gateway.
+         */
+        export interface GatewaySpecAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * When a value is unspecified, an implementation SHOULD automatically
+             * assign an address matching the requested type if possible.
+             *
+             * If an implementation does not support an empty value, they MUST set the
+             * "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListeners {
+            namespaces: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespaces;
+        }
+
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersNamespaces {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from: string;
+            selector: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelector;
+        }
+
+        /**
+         * Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesPatch {
+            /**
+             * From indicates where ListenerSets can attach to this Gateway. Possible
+             * values are:
+             *
+             * * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+             * * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+             * * All: ListenerSets in all namespaces may be attached to this Gateway.
+             * * None: Only listeners defined in the Gateway's spec are allowed
+             *
+             * While this feature is experimental, the default value None
+             */
+            from: string;
+            selector: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorPatch;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only ListenerSets in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         */
+        export interface GatewaySpecAllowedListenersNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * AllowedListeners defines which ListenerSets can be attached to this Gateway.
+         * While this feature is experimental, the default value is to allow no ListenerSets.
+         */
+        export interface GatewaySpecAllowedListenersPatch {
+            namespaces: outputs.gateway.v1beta1.GatewaySpecAllowedListenersNamespacesPatch;
+        }
+
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecInfrastructure {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels: {[key: string]: string};
+            parametersRef: outputs.gateway.v1beta1.GatewaySpecInfrastructureParametersRef;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewaySpecInfrastructureParametersRef {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ParametersRef is a reference to a resource that contains the configuration
+         * parameters corresponding to the Gateway. This is optional if the
+         * controller does not require any additional configuration.
+         *
+         * This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+         *
+         * The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+         * the merging behavior is implementation specific.
+         * It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+         *
+         * If the referent cannot be found, refers to an unsupported kind, or when
+         * the data within that resource is malformed, the Gateway SHOULD be
+         * rejected with the "Accepted" status condition set to "False" and an
+         * "InvalidParameters" reason.
+         *
+         * Support: Implementation-specific
+         */
+        export interface GatewaySpecInfrastructureParametersRefPatch {
+            /**
+             * Group is the group of the referent.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * Infrastructure defines infrastructure level attributes about this Gateway instance.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecInfrastructurePatch {
+            /**
+             * Annotations that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific annotations as they see fit.
+             *
+             * Support: Extended
+             */
+            annotations: {[key: string]: string};
+            /**
+             * Labels that SHOULD be applied to any resources created in response to this Gateway.
+             *
+             * For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+             * For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+             *
+             * An implementation may chose to add additional implementation-specific labels as they see fit.
+             *
+             * If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+             * change, it SHOULD clearly warn about this behavior in documentation.
+             *
+             * Support: Extended
+             */
+            labels: {[key: string]: string};
+            parametersRef: outputs.gateway.v1beta1.GatewaySpecInfrastructureParametersRefPatch;
+        }
+
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        export interface GatewaySpecListeners {
+            allowedRoutes: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutes;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol: string;
+            tls: outputs.gateway.v1beta1.GatewaySpecListenersTls;
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutes {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKinds[];
+            namespaces: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespaces;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewaySpecListenersAllowedRoutesKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewaySpecListenersAllowedRoutesKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespaces {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelector;
+        }
+
+        /**
+         * Namespaces indicates namespaces from which Routes may be attached to this
+         * Listener. This is restricted to the namespace of this Gateway by default.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesPatch {
+            /**
+             * From indicates where Routes will be selected for this Gateway. Possible
+             * values are:
+             *
+             * * All: Routes in all namespaces may be used by this Gateway.
+             * * Selector: Routes in namespaces selected by the selector may be used by
+             *   this Gateway.
+             * * Same: Only Routes in the same namespace may be used by this Gateway.
+             *
+             * Support: Core
+             */
+            from: string;
+            selector: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch;
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelector {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressions {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * A label selector requirement is a selector that contains values, a key, and an operator that
+         * relates the key and values.
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch {
+            /**
+             * key is the label key that the selector applies to.
+             */
+            key: string;
+            /**
+             * operator represents a key's relationship to a set of values.
+             * Valid operators are In, NotIn, Exists and DoesNotExist.
+             */
+            operator: string;
+            /**
+             * values is an array of string values. If the operator is In or NotIn,
+             * the values array must be non-empty. If the operator is Exists or DoesNotExist,
+             * the values array must be empty. This array is replaced during a strategic
+             * merge patch.
+             */
+            values: string[];
+        }
+
+        /**
+         * Selector must be specified when From is set to "Selector". In that case,
+         * only Routes in Namespaces matching this Selector will be selected by this
+         * Gateway. This field is ignored for other values of "From".
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesNamespacesSelectorPatch {
+            /**
+             * matchExpressions is a list of label selector requirements. The requirements are ANDed.
+             */
+            matchExpressions: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesSelectorMatchExpressionsPatch[];
+            /**
+             * matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+             * map is equivalent to an element of matchExpressions, whose key field is "key", the
+             * operator is "In", and the values array contains only "value". The requirements are ANDed.
+             */
+            matchLabels: {[key: string]: string};
+        }
+
+        /**
+         * AllowedRoutes defines the types of routes that MAY be attached to a
+         * Listener and the trusted namespaces where those Route resources MAY be
+         * present.
+         *
+         * Although a client request may match multiple route rules, only one rule
+         * may ultimately receive the request. Matching precedence MUST be
+         * determined in order of the following criteria:
+         *
+         * * The most specific match as defined by the Route type.
+         * * The oldest Route based on creation timestamp. For example, a Route with
+         *   a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+         *   a Route with a creation timestamp of "2020-09-08 01:02:04".
+         * * If everything else is equivalent, the Route appearing first in
+         *   alphabetical order (namespace/name) should be given precedence. For
+         *   example, foo/bar is given precedence over foo/baz.
+         *
+         * All valid rules within a Route attached to this Listener should be
+         * implemented. Invalid Route rules can be ignored (sometimes that will mean
+         * the full Route). If a Route rule transitions from valid to invalid,
+         * support for that Route rule should be dropped to ensure consistency. For
+         * example, even if a filter specified by a Route rule is invalid, the rest
+         * of the rules within that Route should still be supported.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersAllowedRoutesPatch {
+            /**
+             * Kinds specifies the groups and kinds of Routes that are allowed to bind
+             * to this Gateway Listener. When unspecified or empty, the kinds of Routes
+             * selected are determined using the Listener protocol.
+             *
+             * A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+             * with the application protocol specified in the Listener's Protocol field.
+             * If an implementation does not support or recognize this resource type, it
+             * MUST set the "ResolvedRefs" condition to False for this Listener with the
+             * "InvalidRouteKinds" reason.
+             *
+             * Support: Core
+             */
+            kinds: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesKindsPatch[];
+            namespaces: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesNamespacesPatch;
+        }
+
+        /**
+         * Listener embodies the concept of a logical endpoint where a Gateway accepts
+         * network connections.
+         */
+        export interface GatewaySpecListenersPatch {
+            allowedRoutes: outputs.gateway.v1beta1.GatewaySpecListenersAllowedRoutesPatch;
+            /**
+             * Hostname specifies the virtual hostname to match for protocol types that
+             * define this concept. When unspecified, all hostnames are matched. This
+             * field is ignored for protocols that don't require hostname based
+             * matching.
+             *
+             * Implementations MUST apply Hostname matching appropriately for each of
+             * the following protocols:
+             *
+             * * TLS: The Listener Hostname MUST match the SNI.
+             * * HTTP: The Listener Hostname MUST match the Host header of the request.
+             * * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header.
+             *   Note that this does not require the SNI and Host header to be the same.
+             *   The semantics of this are described in more detail below.
+             *
+             * To ensure security, Section 11.1 of RFC-6066 emphasizes that server
+             * implementations that rely on SNI hostname matching MUST also verify
+             * hostnames within the application protocol.
+             *
+             * Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
+             * reuse of a connection by responding with the HTTP 421 Misdirected Request
+             * status code. This indicates that the origin server has rejected the
+             * request because it appears to have been misdirected.
+             *
+             * To detect misdirected requests, Gateways SHOULD match the authority of
+             * the requests with all the SNI hostname(s) configured across all the
+             * Gateway Listeners on the same port and protocol:
+             *
+             * * If another Listener has an exact match or more specific wildcard entry,
+             *   the Gateway SHOULD return a 421.
+             * * If the current Listener (selected by SNI matching during ClientHello)
+             *   does not match the Host:
+             *     * If another Listener does match the Host the Gateway SHOULD return a
+             *       421.
+             *     * If no other Listener matches the Host, the Gateway MUST return a
+             *       404.
+             *
+             * For HTTPRoute and TLSRoute resources, there is an interaction with the
+             * `spec.hostnames` array. When both listener and route specify hostnames,
+             * there MUST be an intersection between the values for a Route to be
+             * accepted. For more information, refer to the Route specific Hostnames
+             * documentation.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            /**
+             * Name is the name of the Listener. This name MUST be unique within a
+             * Gateway.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Port is the network port. Multiple listeners may use the
+             * same port, subject to the Listener compatibility rules.
+             *
+             * Support: Core
+             */
+            port: number;
+            /**
+             * Protocol specifies the network protocol this listener expects to receive.
+             *
+             * Support: Core
+             */
+            protocol: string;
+            tls: outputs.gateway.v1beta1.GatewaySpecListenersTlsPatch;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersTls {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefs[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecListenersTlsCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * SecretObjectReference identifies an API object including its namespace,
+         * defaulting to Secret.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecListenersTlsCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * TLS is the TLS configuration for the Listener. This field is required if
+         * the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+         * if the Protocol field is "HTTP", "TCP", or "UDP".
+         *
+         * The association of SNIs to Certificate defined in ListenerTLSConfig is
+         * defined based on the Hostname field for this listener.
+         *
+         * The GatewayClass MUST use the longest matching SNI out of all
+         * available certificates for any TLS handshake.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecListenersTlsPatch {
+            /**
+             * CertificateRefs contains a series of references to Kubernetes objects that
+             * contains TLS certificates and private keys. These certificates are used to
+             * establish a TLS handshake for requests that match the hostname of the
+             * associated listener.
+             *
+             * A single CertificateRef to a Kubernetes Secret has "Core" support.
+             * Implementations MAY choose to support attaching multiple certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * References to a resource in different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             *
+             * This field is required to have at least one element when the mode is set
+             * to "Terminate" (default) and is optional otherwise.
+             *
+             * CertificateRefs can reference to standard Kubernetes resources, i.e.
+             * Secret, or implementation-specific custom resources.
+             *
+             * Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+             *
+             * Support: Implementation-specific (More than one reference or other resource types)
+             */
+            certificateRefs: outputs.gateway.v1beta1.GatewaySpecListenersTlsCertificateRefsPatch[];
+            /**
+             * Mode defines the TLS behavior for the TLS session initiated by the client.
+             * There are two possible modes:
+             *
+             * - Terminate: The TLS session between the downstream client and the
+             *   Gateway is terminated at the Gateway. This mode requires certificates
+             *   to be specified in some way, such as populating the certificateRefs
+             *   field.
+             * - Passthrough: The TLS session is NOT terminated by the Gateway. This
+             *   implies that the Gateway can't decipher the TLS stream except for
+             *   the ClientHello message of the TLS protocol. The certificateRefs field
+             *   is ignored in this mode.
+             *
+             * Support: Core
+             */
+            mode: string;
+            /**
+             * Options are a list of key/value pairs to enable extended TLS
+             * configuration for each implementation. For example, configuring the
+             * minimum TLS version or supported cipher suites.
+             *
+             * A set of common keys MAY be defined by the API in the future. To avoid
+             * any ambiguity, implementation-specific definitions MUST use
+             * domain-prefixed names, such as `example.com/my-custom-option`.
+             * Un-prefixed names are reserved for key names defined by Gateway API.
+             *
+             * Support: Implementation-specific
+             */
+            options: {[key: string]: string};
+        }
+
+        /**
+         * Spec defines the desired state of Gateway.
+         */
+        export interface GatewaySpecPatch {
+            /**
+             * Addresses requested for this Gateway. This is optional and behavior can
+             * depend on the implementation. If a value is set in the spec and the
+             * requested address is invalid or unavailable, the implementation MUST
+             * indicate this in an associated entry in GatewayStatus.Conditions.
+             *
+             * The Addresses field represents a request for the address(es) on the
+             * "outside of the Gateway", that traffic bound for this Gateway will use.
+             * This could be the IP address or hostname of an external load balancer or
+             * other networking infrastructure, or some other address that traffic will
+             * be sent to.
+             *
+             * If no Addresses are specified, the implementation MAY schedule the
+             * Gateway in an implementation-specific manner, assigning an appropriate
+             * set of Addresses.
+             *
+             * The implementation MUST bind all Listeners to every GatewayAddress that
+             * it assigns to the Gateway and add a corresponding entry in
+             * GatewayStatus.Addresses.
+             *
+             * Support: Extended
+             */
+            addresses: outputs.gateway.v1beta1.GatewaySpecAddressesPatch[];
+            allowedListeners: outputs.gateway.v1beta1.GatewaySpecAllowedListenersPatch;
+            /**
+             * DefaultScope, when set, configures the Gateway as a default Gateway,
+             * meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+             * attached to it, according to the scope configured here.
+             *
+             * If unset (the default) or set to None, the Gateway will not act as a
+             * default Gateway; if set, the Gateway will claim any Route with a
+             * matching scope set in its UseDefaultGateway field, subject to the usual
+             * rules about which routes the Gateway can attach to.
+             *
+             * Think carefully before using this functionality! While the normal rules
+             * about which Route can apply are still enforced, it is simply easier for
+             * the wrong Route to be accidentally attached to this Gateway in this
+             * configuration. If the Gateway operator is not also the operator in
+             * control of the scope (e.g. namespace) with tight controls and checks on
+             * what kind of workloads and Routes get added in that scope, we strongly
+             * recommend not using this just because it seems convenient, and instead
+             * stick to direct Route attachment.
+             */
+            defaultScope: string;
+            /**
+             * GatewayClassName used for this Gateway. This is the name of a
+             * GatewayClass resource.
+             */
+            gatewayClassName: string;
+            infrastructure: outputs.gateway.v1beta1.GatewaySpecInfrastructurePatch;
+            /**
+             * Listeners associated with this Gateway. Listeners define
+             * logical endpoints that are bound on this Gateway's addresses.
+             * At least one Listener MUST be specified.
+             *
+             * ## Distinct Listeners
+             *
+             * Each Listener in a set of Listeners (for example, in a single Gateway)
+             * MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+             * exactly one listener. (This section uses "set of Listeners" rather than
+             * "Listeners in a single Gateway" because implementations MAY merge configuration
+             * from multiple Gateways onto a single data plane, and these rules _also_
+             * apply in that case).
+             *
+             * Practically, this means that each listener in a set MUST have a unique
+             * combination of Port, Protocol, and, if supported by the protocol, Hostname.
+             *
+             * Some combinations of port, protocol, and TLS settings are considered
+             * Core support and MUST be supported by implementations based on the objects
+             * they support:
+             *
+             * HTTPRoute
+             *
+             * 1. HTTPRoute, Port: 80, Protocol: HTTP
+             * 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+             *
+             * TLSRoute
+             *
+             * 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+             *
+             * "Distinct" Listeners have the following property:
+             *
+             * **The implementation can match inbound requests to a single distinct
+             * Listener**.
+             *
+             * When multiple Listeners share values for fields (for
+             * example, two Listeners with the same Port value), the implementation
+             * can match requests to only one of the Listeners using other
+             * Listener fields.
+             *
+             * When multiple listeners have the same value for the Protocol field, then
+             * each of the Listeners with matching Protocol values MUST have different
+             * values for other fields.
+             *
+             * The set of fields that MUST be different for a Listener differs per protocol.
+             * The following rules define the rules for what fields MUST be considered for
+             * Listeners to be distinct with each protocol currently defined in the
+             * Gateway API spec.
+             *
+             * The set of listeners that all share a protocol value MUST have _different_
+             * values for _at least one_ of these fields to be distinct:
+             *
+             * * **HTTP, HTTPS, TLS**: Port, Hostname
+             * * **TCP, UDP**: Port
+             *
+             * One **very** important rule to call out involves what happens when an
+             * implementation:
+             *
+             * * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol
+             *   Listeners, and
+             * * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP
+             *   Protocol.
+             *
+             * In this case all the Listeners that share a port with the
+             * TCP Listener are not distinct and so MUST NOT be accepted.
+             *
+             * If an implementation does not support TCP Protocol Listeners, then the
+             * previous rule does not apply, and the TCP Listeners SHOULD NOT be
+             * accepted.
+             *
+             * Note that the `tls` field is not used for determining if a listener is distinct, because
+             * Listeners that _only_ differ on TLS config will still conflict in all cases.
+             *
+             * ### Listeners that are distinct only by Hostname
+             *
+             * When the Listeners are distinct based only on Hostname, inbound request
+             * hostnames MUST match from the most specific to least specific Hostname
+             * values to choose the correct Listener and its associated set of Routes.
+             *
+             * Exact matches MUST be processed before wildcard matches, and wildcard
+             * matches MUST be processed before fallback (empty Hostname value)
+             * matches. For example, `"foo.example.com"` takes precedence over
+             * `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+             *
+             * Additionally, if there are multiple wildcard entries, more specific
+             * wildcard entries must be processed before less specific wildcard entries.
+             * For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+             *
+             * The precise definition here is that the higher the number of dots in the
+             * hostname to the right of the wildcard character, the higher the precedence.
+             *
+             * The wildcard character will match any number of characters _and dots_ to
+             * the left, however, so `"*.example.com"` will match both
+             * `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+             *
+             * ## Handling indistinct Listeners
+             *
+             * If a set of Listeners contains Listeners that are not distinct, then those
+             * Listeners are _Conflicted_, and the implementation MUST set the "Conflicted"
+             * condition in the Listener Status to "True".
+             *
+             * The words "indistinct" and "conflicted" are considered equivalent for the
+             * purpose of this documentation.
+             *
+             * Implementations MAY choose to accept a Gateway with some Conflicted
+             * Listeners only if they only accept the partial Listener set that contains
+             * no Conflicted Listeners.
+             *
+             * Specifically, an implementation MAY accept a partial Listener set subject to
+             * the following rules:
+             *
+             * * The implementation MUST NOT pick one conflicting Listener as the winner.
+             *   ALL indistinct Listeners must not be accepted for processing.
+             * * At least one distinct Listener MUST be present, or else the Gateway effectively
+             *   contains _no_ Listeners, and must be rejected from processing as a whole.
+             *
+             * The implementation MUST set a "ListenersNotValid" condition on the
+             * Gateway Status when the Gateway contains Conflicted Listeners whether or
+             * not they accept the Gateway. That Condition SHOULD clearly
+             * indicate in the Message which Listeners are conflicted, and which are
+             * Accepted. Additionally, the Listener status for those listeners SHOULD
+             * indicate which Listeners are conflicted and not Accepted.
+             *
+             * ## General Listener behavior
+             *
+             * Note that, for all distinct Listeners, requests SHOULD match at most one Listener.
+             * For example, if Listeners are defined for "foo.example.com" and "*.example.com", a
+             * request to "foo.example.com" SHOULD only be routed using routes attached
+             * to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+             *
+             * This concept is known as "Listener Isolation", and it is an Extended feature
+             * of Gateway API. Implementations that do not support Listener Isolation MUST
+             * clearly document this, and MUST NOT claim support for the
+             * `GatewayHTTPListenerIsolation` feature.
+             *
+             * Implementations that _do_ support Listener Isolation SHOULD claim support
+             * for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated
+             * conformance tests.
+             *
+             * ## Compatible Listeners
+             *
+             * A Gateway's Listeners are considered _compatible_ if:
+             *
+             * 1. They are distinct.
+             * 2. The implementation can serve them in compliance with the Addresses
+             *    requirement that all Listeners are available on all assigned
+             *    addresses.
+             *
+             * Compatible combinations in Extended support are expected to vary across
+             * implementations. A combination that is compatible for one implementation
+             * may not be compatible for another.
+             *
+             * For example, an implementation that cannot serve both TCP and UDP listeners
+             * on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+             * would not consider those cases compatible, even though they are distinct.
+             *
+             * Implementations MAY merge separate Gateways onto a single set of
+             * Addresses if all Listeners across all Gateways are compatible.
+             *
+             * In a future release the MinItems=1 requirement MAY be dropped.
+             *
+             * Support: Core
+             */
+            listeners: outputs.gateway.v1beta1.GatewaySpecListenersPatch[];
+            tls: outputs.gateway.v1beta1.GatewaySpecTlsPatch;
+        }
+
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecTls {
+            backend: outputs.gateway.v1beta1.GatewaySpecTlsBackend;
+            frontend: outputs.gateway.v1beta1.GatewaySpecTlsFrontend;
+        }
+
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackend {
+            clientCertificateRef: outputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRef;
+        }
+
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendClientCertificateRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * ClientCertificateRef is a reference to an object that contains a Client
+         * Certificate and the associated private key.
+         *
+         * References to a resource in different namespace are invalid UNLESS there
+         * is a ReferenceGrant in the target namespace that allows the certificate
+         * to be attached. If a ReferenceGrant does not allow this reference, the
+         * "ResolvedRefs" condition MUST be set to False for this listener with the
+         * "RefNotPermitted" reason.
+         *
+         * ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+         * Secret, or implementation-specific custom resources.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendClientCertificateRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "Secret".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * Backend describes TLS configuration for gateway when connecting
+         * to backends.
+         *
+         * Note that this contains only details for the Gateway as a TLS client,
+         * and does _not_ imply behavior about how to choose which backend should
+         * get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsBackendPatch {
+            clientCertificateRef: outputs.gateway.v1beta1.GatewaySpecTlsBackendClientCertificateRefPatch;
+        }
+
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontend {
+            default: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefault;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPort[];
+        }
+
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefault {
+            validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidation;
+        }
+
+        /**
+         * Default specifies the default client certificate validation configuration
+         * for all Listeners handling HTTPS traffic, unless a per-port configuration
+         * is defined.
+         *
+         * support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultPatch {
+            validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationPatch;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendDefaultValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultValidationCaCertificateRefsPatch[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+
+        /**
+         * Frontend describes TLS config when client connects to Gateway.
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPatch {
+            default: outputs.gateway.v1beta1.GatewaySpecTlsFrontendDefaultPatch;
+            /**
+             * PerPort specifies tls configuration assigned per port.
+             * Per port configuration is optional. Once set this configuration overrides
+             * the default configuration for all Listeners handling HTTPS traffic
+             * that match this port.
+             * Each override port requires a unique TLS configuration.
+             *
+             * support: Core
+             */
+            perPort: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortPatch[];
+        }
+
+        export interface GatewaySpecTlsFrontendPerPort {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port: number;
+            tls: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTls;
+        }
+
+        export interface GatewaySpecTlsFrontendPerPortPatch {
+            /**
+             * The Port indicates the Port Number to which the TLS configuration will be
+             * applied. This configuration will be applied to all Listeners handling HTTPS
+             * traffic that match this port.
+             *
+             * Support: Core
+             */
+            port: number;
+            tls: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsPatch;
+        }
+
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTls {
+            validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidation;
+        }
+
+        /**
+         * TLS store the configuration that will be applied to all Listeners handling
+         * HTTPS traffic and matching given port.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsPatch {
+            validation: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationPatch;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidation {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefs {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * ObjectReference identifies an API object including its namespace.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         *
+         * References to objects with invalid Group and Kind are not valid, and must
+         * be rejected by the implementation, with appropriate Conditions set
+         * on the containing object.
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When set to the empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "ConfigMap" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referenced object. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * Validation holds configuration information for validating the frontend (client).
+         * Setting this field will result in mutual authentication when connecting to the gateway.
+         * In browsers this may result in a dialog appearing
+         * that requests a user to specify the client certificate.
+         * The maximum depth of a certificate chain accepted in verification is Implementation specific.
+         *
+         * Support: Core
+         */
+        export interface GatewaySpecTlsFrontendPerPortTlsValidationPatch {
+            /**
+             * CACertificateRefs contains one or more references to
+             * Kubernetes objects that contain TLS certificates of
+             * the Certificate Authorities that can be used
+             * as a trust anchor to validate the certificates presented by the client.
+             *
+             * A single CA certificate reference to a Kubernetes ConfigMap
+             * has "Core" support.
+             * Implementations MAY choose to support attaching multiple CA certificates to
+             * a Listener, but this behavior is implementation-specific.
+             *
+             * Support: Core - A single reference to a Kubernetes ConfigMap
+             * with the CA certificate in a key named `ca.crt`.
+             *
+             * Support: Implementation-specific (More than one certificate in a ConfigMap
+             * with different keys or more than one reference, or other kinds of resources).
+             *
+             * References to a resource in a different namespace are invalid UNLESS there
+             * is a ReferenceGrant in the target namespace that allows the certificate
+             * to be attached. If a ReferenceGrant does not allow this reference, the
+             * "ResolvedRefs" condition MUST be set to False for this listener with the
+             * "RefNotPermitted" reason.
+             */
+            caCertificateRefs: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPerPortTlsValidationCaCertificateRefsPatch[];
+            /**
+             * FrontendValidationMode defines the mode for validating the client certificate.
+             * There are two possible modes:
+             *
+             * - AllowValidOnly: In this mode, the gateway will accept connections only if
+             *   the client presents a valid certificate. This certificate must successfully
+             *   pass validation against the CA certificates specified in `CACertificateRefs`.
+             * - AllowInsecureFallback: In this mode, the gateway will accept connections
+             *   even if the client certificate is not presented or fails verification.
+             *
+             *   This approach delegates client authorization to the backend and introduce
+             *   a significant security risk. It should be used in testing environments or
+             *   on a temporary basis in non-testing environments.
+             *
+             * Defaults to AllowValidOnly.
+             *
+             * Support: Core
+             */
+            mode: string;
+        }
+
+        /**
+         * TLS specifies frontend and backend tls configuration for entire gateway.
+         *
+         * Support: Extended
+         */
+        export interface GatewaySpecTlsPatch {
+            backend: outputs.gateway.v1beta1.GatewaySpecTlsBackendPatch;
+            frontend: outputs.gateway.v1beta1.GatewaySpecTlsFrontendPatch;
+        }
+
+        /**
+         * Status defines the current state of Gateway.
+         */
+        export interface GatewayStatus {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses: outputs.gateway.v1beta1.GatewayStatusAddresses[];
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions: outputs.gateway.v1beta1.GatewayStatusConditions[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1beta1.GatewayStatusListeners[];
+        }
+
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        export interface GatewayStatusAddresses {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+
+        /**
+         * GatewayStatusAddress describes a network address that is bound to a Gateway.
+         */
+        export interface GatewayStatusAddressesPatch {
+            /**
+             * Type of the address.
+             */
+            type: string;
+            /**
+             * Value of the address. The validity of the values will depend
+             * on the type and support by the controller.
+             *
+             * Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+             */
+            value: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface GatewayStatusListeners {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1beta1.GatewayStatusListenersConditions[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1beta1.GatewayStatusListenersSupportedKinds[];
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusListenersConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface GatewayStatusListenersConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ListenerStatus is the status associated with a Listener.
+         */
+        export interface GatewayStatusListenersPatch {
+            /**
+             * AttachedRoutes represents the total number of Routes that have been
+             * successfully attached to this Listener.
+             *
+             * Successful attachment of a Route to a Listener is based solely on the
+             * combination of the AllowedRoutes field on the corresponding Listener
+             * and the Route's ParentRefs field. A Route is successfully attached to
+             * a Listener when it is selected by the Listener's AllowedRoutes field
+             * AND the Route has a valid ParentRef selecting the whole Gateway
+             * resource or a specific Listener as a parent resource (more detail on
+             * attachment semantics can be found in the documentation on the various
+             * Route kinds ParentRefs fields). Listener or Route status does not impact
+             * successful attachment, i.e. the AttachedRoutes field count MUST be set
+             * for Listeners with condition Accepted: false and MUST count successfully
+             * attached Routes that may themselves have Accepted: false conditions.
+             *
+             * Uses for this field include troubleshooting Route attachment and
+             * measuring blast radius/impact of changes to a Listener.
+             */
+            attachedRoutes: number;
+            /**
+             * Conditions describe the current condition of this listener.
+             */
+            conditions: outputs.gateway.v1beta1.GatewayStatusListenersConditionsPatch[];
+            /**
+             * Name is the name of the Listener that this status corresponds to.
+             */
+            name: string;
+            /**
+             * SupportedKinds is the list indicating the Kinds supported by this
+             * listener. This MUST represent the kinds an implementation supports for
+             * that Listener configuration.
+             *
+             * If kinds are specified in Spec that are not supported, they MUST NOT
+             * appear in this list and an implementation MUST set the "ResolvedRefs"
+             * condition to "False" with the "InvalidRouteKinds" reason. If both valid
+             * and invalid Route kinds are specified, the implementation MUST
+             * reference the valid Route kinds that have been specified.
+             */
+            supportedKinds: outputs.gateway.v1beta1.GatewayStatusListenersSupportedKindsPatch[];
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewayStatusListenersSupportedKinds {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * RouteGroupKind indicates the group and kind of a Route resource.
+         */
+        export interface GatewayStatusListenersSupportedKindsPatch {
+            /**
+             * Group is the group of the Route.
+             */
+            group: string;
+            /**
+             * Kind is the kind of the Route.
+             */
+            kind: string;
+        }
+
+        /**
+         * Status defines the current state of Gateway.
+         */
+        export interface GatewayStatusPatch {
+            /**
+             * Addresses lists the network addresses that have been bound to the
+             * Gateway.
+             *
+             * This list may differ from the addresses provided in the spec under some
+             * conditions:
+             *
+             *   * no addresses are specified, all addresses are dynamically assigned
+             *   * a combination of specified and dynamic addresses are assigned
+             *   * a specified address was unusable (e.g. already in use)
+             */
+            addresses: outputs.gateway.v1beta1.GatewayStatusAddressesPatch[];
+            /**
+             * Conditions describe the current conditions of the Gateway.
+             *
+             * Implementations should prefer to express Gateway conditions
+             * using the `GatewayConditionType` and `GatewayConditionReason`
+             * constants so that operators and tools can converge on a common
+             * vocabulary to describe Gateway state.
+             *
+             * Known condition types are:
+             *
+             * * "Accepted"
+             * * "Programmed"
+             * * "Ready"
+             */
+            conditions: outputs.gateway.v1beta1.GatewayStatusConditionsPatch[];
+            /**
+             * Listeners provide status for each unique listener port defined in the Spec.
+             */
+            listeners: outputs.gateway.v1beta1.GatewayStatusListenersPatch[];
+        }
+
+        /**
+         * HTTPRoute provides a way to route HTTP requests. This includes the capability
+         * to match requests by hostname, path, header, or query param. Filters can be
+         * used to specify additional processing steps. Backends specify where matching
+         * requests should be routed.
+         */
+        export interface HTTPRoute {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1beta1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "HTTPRoute";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1beta1.HTTPRouteSpec;
+            status: outputs.gateway.v1beta1.HTTPRouteStatus;
+        }
+
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        export interface HTTPRouteSpec {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1beta1.HTTPRouteSpecParentRefs[];
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1beta1.HTTPRouteSpecRules[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface HTTPRouteSpecParentRefs {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentReference identifies an API object (usually a Gateway) that can be considered
+         * a parent of this resource (usually a route). There are two kinds of parent resources
+         * with "Core" support:
+         *
+         * * Gateway (Gateway conformance profile)
+         * * Service (Mesh conformance profile, ClusterIP Services only)
+         *
+         * This API may be extended in the future to support additional kinds of parent
+         * resources.
+         *
+         * The API object must be valid in the cluster; the Group and Kind must
+         * be registered in the cluster for this reference to be valid.
+         */
+        export interface HTTPRouteSpecParentRefsPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * Spec defines the desired state of HTTPRoute.
+         */
+        export interface HTTPRouteSpecPatch {
+            /**
+             * Hostnames defines a set of hostnames that should match against the HTTP Host
+             * header to select a HTTPRoute used to process the request. Implementations
+             * MUST ignore any port value specified in the HTTP Host header while
+             * performing a match and (absent of any applicable header modification
+             * configuration) MUST forward this header unmodified to the backend.
+             *
+             * Valid values for Hostnames are determined by RFC 1123 definition of a
+             * hostname with 2 notable exceptions:
+             *
+             * 1. IPs are not allowed.
+             * 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+             *    label must appear by itself as the first label.
+             *
+             * If a hostname is specified by both the Listener and HTTPRoute, there
+             * must be at least one intersecting hostname for the HTTPRoute to be
+             * attached to the Listener. For example:
+             *
+             * * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames, or have specified at
+             *   least one of `test.example.com` or `*.example.com`.
+             * * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+             *   that have either not specified any hostnames or have specified at least
+             *   one hostname that matches the Listener hostname. For example,
+             *   `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+             *   all match. On the other hand, `example.com` and `test.example.net` would
+             *   not match.
+             *
+             * Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+             * as a suffix match. That means that a match for `*.example.com` would match
+             * both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, any
+             * HTTPRoute hostnames that do not match the Listener hostname MUST be
+             * ignored. For example, if a Listener specified `*.example.com`, and the
+             * HTTPRoute specified `test.example.com` and `test.example.net`,
+             * `test.example.net` must not be considered for a match.
+             *
+             * If both the Listener and HTTPRoute have specified hostnames, and none
+             * match with the criteria above, then the HTTPRoute is not accepted. The
+             * implementation must raise an 'Accepted' Condition with a status of
+             * `False` in the corresponding RouteParentStatus.
+             *
+             * In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+             * overlapping wildcard matching and exact matching hostnames), precedence must
+             * be given to rules from the HTTPRoute with the largest number of:
+             *
+             * * Characters in a matching non-wildcard hostname.
+             * * Characters in a matching hostname.
+             *
+             * If ties exist across multiple Routes, the matching precedence rules for
+             * HTTPRouteMatches takes over.
+             *
+             * Support: Core
+             */
+            hostnames: string[];
+            /**
+             * ParentRefs references the resources (usually Gateways) that a Route wants
+             * to be attached to. Note that the referenced parent resource needs to
+             * allow this for the attachment to be complete. For Gateways, that means
+             * the Gateway needs to allow attachment from Routes of this kind and
+             * namespace. For Services, that means the Service must either be in the same
+             * namespace for a "producer" route, or the mesh implementation must support
+             * and allow "consumer" routes for the referenced Service. ReferenceGrant is
+             * not applicable for governing ParentRefs to Services - it is not possible to
+             * create a "producer" route for a Service in a different namespace from the
+             * Route.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * This API may be extended in the future to support additional kinds of parent
+             * resources.
+             *
+             * ParentRefs must be _distinct_. This means either that:
+             *
+             * * They select different objects.  If this is the case, then parentRef
+             *   entries are distinct. In terms of fields, this means that the
+             *   multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+             *   be unique across all parentRef entries in the Route.
+             * * They do not select different objects, but for each optional field used,
+             *   each ParentRef that selects the same object must set the same set of
+             *   optional fields to different values. If one ParentRef sets a
+             *   combination of optional fields, all must set the same combination.
+             *
+             * Some examples:
+             *
+             * * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+             *   same object must also set `sectionName`.
+             * * If one ParentRef sets `port`, all ParentRefs referencing the same
+             *   object must also set `port`.
+             * * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+             *   referencing the same object must also set `sectionName` and `port`.
+             *
+             * It is possible to separately reference multiple distinct objects that may
+             * be collapsed by an implementation. For example, some implementations may
+             * choose to merge compatible Gateway Listeners together. If that is the
+             * case, the list of routes attached to those resources should also be
+             * merged.
+             *
+             * Note that for ParentRefs that cross namespace boundaries, there are specific
+             * rules. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example,
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable other kinds of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             */
+            parentRefs: outputs.gateway.v1beta1.HTTPRouteSpecParentRefsPatch[];
+            /**
+             * Rules are a list of HTTP matchers, filters and actions.
+             */
+            rules: outputs.gateway.v1beta1.HTTPRouteSpecRulesPatch[];
+            /**
+             * UseDefaultGateways indicates the default Gateway scope to use for this
+             * Route. If unset (the default) or set to None, the Route will not be
+             * attached to any default Gateway; if set, it will be attached to any
+             * default Gateway supporting the named scope, subject to the usual rules
+             * about which Routes a Gateway is allowed to claim.
+             *
+             * Think carefully before using this functionality! The set of default
+             * Gateways supporting the requested scope can change over time without
+             * any notice to the Route author, and in many situations it will not be
+             * appropriate to request a default Gateway for a given Route -- for
+             * example, a Route with specific security requirements should almost
+             * certainly not use a default Gateway.
+             */
+            useDefaultGateways: string;
+        }
+
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface HTTPRouteSpecRules {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefs[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesFilters[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatches[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            retry: outputs.gateway.v1beta1.HTTPRouteSpecRulesRetry;
+            sessionPersistence: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistence;
+            timeouts: outputs.gateway.v1beta1.HTTPRouteSpecRulesTimeouts;
+        }
+
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface HTTPRouteSpecRulesBackendRefs {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFilters[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFilters {
+            cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCors;
+            extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRef;
+            externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuth;
+            requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirror;
+            requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect;
+            responseHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuth {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef;
+            forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody;
+            grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc;
+            http: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthBackendRefPatch;
+            forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthForwardBodyPatch;
+            grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthGrpcPatch;
+            http: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthHttpPatch;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersPatch {
+            cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersCorsPatch;
+            extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExtensionRefPatch;
+            externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersExternalAuthPatch;
+            requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch;
+            requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch;
+            responseHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirror {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesBackendRefsFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+         *
+         * Note that when a namespace different than the local namespace is specified, a
+         * ReferenceGrant object is required in the referent namespace to allow that
+         * namespace's owner to accept the reference. See the ReferenceGrant
+         * documentation for details.
+         *
+         *
+         * When the BackendRef points to a Kubernetes Service, implementations SHOULD
+         * honor the appProtocol field if it is set for the target Service Port.
+         *
+         * Implementations supporting appProtocol SHOULD recognize the Kubernetes
+         * Standard Application Protocols defined in KEP-3726.
+         *
+         * If a Service appProtocol isn't specified, an implementation MAY infer the
+         * backend protocol through its own means. Implementations MAY infer the
+         * protocol from the Route type referring to the backend Service.
+         *
+         * If a Route is not able to send traffic to the backend using the specified
+         * protocol then the backend is considered invalid. Implementations MUST set the
+         * "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+         */
+        export interface HTTPRouteSpecRulesBackendRefsPatch {
+            /**
+             * Filters defined at this level should be executed if and only if the
+             * request is being forwarded to the backend defined here.
+             *
+             * Support: Implementation-specific (For broader support of filters, use the
+             * Filters field in HTTPRouteRule.)
+             */
+            filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsFiltersPatch[];
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+            /**
+             * Weight specifies the proportion of requests forwarded to the referenced
+             * backend. This is computed as weight/(sum of all weights in this
+             * BackendRefs list). For non-zero values, there may be some epsilon from
+             * the exact proportion defined here depending on the precision an
+             * implementation supports. Weight is not a percentage and the sum of
+             * weights does not need to equal 100.
+             *
+             * If only one backend is specified and it has a weight greater than 0, 100%
+             * of the traffic is forwarded to that backend. If weight is set to 0, no
+             * traffic should be forwarded for this entry. If unspecified, weight
+             * defaults to 1.
+             *
+             * Support for this field varies based on the context where used.
+             */
+            weight: number;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesFilters {
+            cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCors;
+            extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRef;
+            externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuth;
+            requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifier;
+            requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirror;
+            requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirect;
+            responseHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifier;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewrite;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersCors {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+
+        /**
+         * CORS defines a schema for a filter that responds to the
+         * cross-origin request based on HTTP response header.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersCorsPatch {
+            /**
+             * AllowCredentials indicates whether the actual cross-origin request allows
+             * to include credentials.
+             *
+             * When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+             * response header with value true (case-sensitive).
+             *
+             * When set to false or omitted the gateway will omit the header
+             * `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+             * behavior).
+             *
+             * Support: Extended
+             */
+            allowCredentials: boolean;
+            /**
+             * AllowHeaders indicates which HTTP request headers are supported for
+             * accessing the requested resource.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Allow-Headers`
+             * response header are separated by a comma (",").
+             *
+             * When the `AllowHeaders` field is configured with one or more headers, the
+             * gateway must return the `Access-Control-Allow-Headers` response header
+             * which value is present in the `AllowHeaders` field.
+             *
+             * If any header name in the `Access-Control-Request-Headers` request header
+             * is not included in the list of header names specified by the response
+             * header `Access-Control-Allow-Headers`, it will present an error on the
+             * client side.
+             *
+             * If any header name in the `Access-Control-Allow-Headers` response header
+             * does not recognize by the client, it will also occur an error on the
+             * client side.
+             *
+             * A wildcard indicates that the requests with all HTTP headers are allowed.
+             * The `Access-Control-Allow-Headers` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowHeaders` field
+             * specified with the `*` wildcard, the gateway must specify one or more
+             * HTTP headers in the value of the `Access-Control-Allow-Headers` response
+             * header. The value of the header `Access-Control-Allow-Headers` is same as
+             * the `Access-Control-Request-Headers` header provided by the client. If
+             * the header `Access-Control-Request-Headers` is not included in the
+             * request, the gateway will omit the `Access-Control-Allow-Headers`
+             * response header, instead of specifying the `*` wildcard. A Gateway
+             * implementation may choose to add implementation-specific default headers.
+             *
+             * Support: Extended
+             */
+            allowHeaders: string[];
+            /**
+             * AllowMethods indicates which HTTP methods are supported for accessing the
+             * requested resource.
+             *
+             * Valid values are any method defined by RFC9110, along with the special
+             * value `*`, which represents all HTTP methods are allowed.
+             *
+             * Method names are case sensitive, so these values are also case-sensitive.
+             * (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+             *
+             * Multiple method names in the value of the `Access-Control-Allow-Methods`
+             * response header are separated by a comma (",").
+             *
+             * A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+             * CORS-safelisted methods are always allowed, regardless of whether they
+             * are specified in the `AllowMethods` field.
+             *
+             * When the `AllowMethods` field is configured with one or more methods, the
+             * gateway must return the `Access-Control-Allow-Methods` response header
+             * which value is present in the `AllowMethods` field.
+             *
+             * If the HTTP method of the `Access-Control-Request-Method` request header
+             * is not included in the list of methods specified by the response header
+             * `Access-Control-Allow-Methods`, it will present an error on the client
+             * side.
+             *
+             * The `Access-Control-Allow-Methods` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowMethods` field
+             * specified with the `*` wildcard, the gateway must specify one HTTP method
+             * in the value of the Access-Control-Allow-Methods response header. The
+             * value of the header `Access-Control-Allow-Methods` is same as the
+             * `Access-Control-Request-Method` header provided by the client. If the
+             * header `Access-Control-Request-Method` is not included in the request,
+             * the gateway will omit the `Access-Control-Allow-Methods` response header,
+             * instead of specifying the `*` wildcard. A Gateway implementation may
+             * choose to add implementation-specific default methods.
+             *
+             * Support: Extended
+             */
+            allowMethods: string[];
+            /**
+             * AllowOrigins indicates whether the response can be shared with requested
+             * resource from the given `Origin`.
+             *
+             * The `Origin` consists of a scheme and a host, with an optional port, and
+             * takes the form `<scheme>://<host>(:<port>)`.
+             *
+             * Valid values for scheme are: `http` and `https`.
+             *
+             * Valid values for port are any integer between 1 and 65535 (the list of
+             * available TCP/UDP ports). Note that, if not included, port `80` is
+             * assumed for `http` scheme origins, and port `443` is assumed for `https`
+             * origins. This may affect origin matching.
+             *
+             * The host part of the origin may contain the wildcard character `*`. These
+             * wildcard characters behave as follows:
+             *
+             * * `*` is a greedy match to the _left_, including any number of
+             *   DNS labels to the left of its position. This also means that
+             *   `*` will include any number of period `.` characters to the
+             *   left of its position.
+             * * A wildcard by itself matches all hosts.
+             *
+             * An origin value that includes _only_ the `*` character indicates requests
+             * from all `Origin`s are allowed.
+             *
+             * When the `AllowOrigins` field is configured with multiple origins, it
+             * means the server supports clients from multiple origins. If the request
+             * `Origin` matches the configured allowed origins, the gateway must return
+             * the given `Origin` and sets value of the header
+             * `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+             * client.
+             *
+             * The status code of a successful response to a "preflight" request is
+             * always an OK status (i.e., 204 or 200).
+             *
+             * If the request `Origin` does not match the configured allowed origins,
+             * the gateway returns 204/200 response but doesn't set the relevant
+             * cross-origin response headers. Alternatively, the gateway responds with
+             * 403 status to the "preflight" request is denied, coupled with omitting
+             * the CORS headers. The cross-origin request fails on the client side.
+             * Therefore, the client doesn't attempt the actual cross-origin request.
+             *
+             * The `Access-Control-Allow-Origin` response header can only use `*`
+             * wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * When the `AllowCredentials` field is true and `AllowOrigins` field
+             * specified with the `*` wildcard, the gateway must return a single origin
+             * in the value of the `Access-Control-Allow-Origin` response header,
+             * instead of specifying the `*` wildcard. The value of the header
+             * `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+             * the client.
+             *
+             * Support: Extended
+             */
+            allowOrigins: string[];
+            /**
+             * ExposeHeaders indicates which HTTP response headers can be exposed
+             * to client-side scripts in response to a cross-origin request.
+             *
+             * A CORS-safelisted response header is an HTTP header in a CORS response
+             * that it is considered safe to expose to the client scripts.
+             * The CORS-safelisted response headers include the following headers:
+             * `Cache-Control`
+             * `Content-Language`
+             * `Content-Length`
+             * `Content-Type`
+             * `Expires`
+             * `Last-Modified`
+             * `Pragma`
+             * (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+             * The CORS-safelisted response headers are exposed to client by default.
+             *
+             * When an HTTP header name is specified using the `ExposeHeaders` field,
+             * this additional header will be exposed as part of the response to the
+             * client.
+             *
+             * Header names are not case sensitive.
+             *
+             * Multiple header names in the value of the `Access-Control-Expose-Headers`
+             * response header are separated by a comma (",").
+             *
+             * A wildcard indicates that the responses with all HTTP headers are exposed
+             * to clients. The `Access-Control-Expose-Headers` response header can only
+             * use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
+             *
+             * Support: Extended
+             */
+            exposeHeaders: string[];
+            /**
+             * MaxAge indicates the duration (in seconds) for the client to cache the
+             * results of a "preflight" request.
+             *
+             * The information provided by the `Access-Control-Allow-Methods` and
+             * `Access-Control-Allow-Headers` response headers can be cached by the
+             * client until the time specified by `Access-Control-Max-Age` elapses.
+             *
+             * The default value of `Access-Control-Max-Age` response header is 5
+             * (seconds).
+             */
+            maxAge: number;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesFiltersExtensionRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExtensionRef is an optional, implementation-specific extension to the
+         * "filter" behavior.  For example, resource "myroutefilter" in group
+         * "networking.example.net"). ExtensionRef MUST NOT be used for core and
+         * extended filters.
+         *
+         * This filter can be used multiple times within the same rule.
+         *
+         * Support: Implementation-specific
+         */
+        export interface HTTPRouteSpecRulesFiltersExtensionRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent. For example "HTTPRoute" or "Service".
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuth {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRef;
+            forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBody;
+            grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpc;
+            http: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttp;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef is a reference to a backend to send authorization
+         * requests to.
+         *
+         * The backend must speak the selected protocol (GRPC or HTTP) on the
+         * referenced port.
+         *
+         * If the backend service requires TLS, use BackendTLSPolicy to tell the
+         * implementation to supply the TLS details to be used to connect to that
+         * backend.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBody {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+
+        /**
+         * ForwardBody controls if requests to the authorization server should include
+         * the body of the client request; and if so, how big that body is allowed
+         * to be.
+         *
+         * It is expected that implementations will buffer the request body up to
+         * `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+         * 4xx series error (413 or 403 are common examples), and fail processing
+         * of the filter.
+         *
+         * If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+         * be forwarded.
+         *
+         * Feature Name: HTTPRouteExternalAuthForwardBody
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch {
+            /**
+             * MaxSize specifies how large in bytes the largest body that will be buffered
+             * and sent to the authorization server. If the body size is larger than
+             * `maxSize`, then the body sent to the authorization server must be
+             * truncated to `maxSize` bytes.
+             *
+             * Experimental note: This behavior needs to be checked against
+             * various dataplanes; it may need to be changed.
+             * See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+             * for more.
+             *
+             * If 0, the body will not be sent to the authorization server.
+             */
+            maxSize: number;
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthGrpc {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+
+        /**
+         * GRPCAuthConfig contains configuration for communication with ext_authz
+         * protocol-speaking backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch {
+            /**
+             * AllowedRequestHeaders specifies what headers from the client request
+             * will be sent to the authorization server.
+             *
+             * If this list is empty, then all headers must be sent.
+             *
+             * If the list has entries, only those entries must be sent.
+             */
+            allowedHeaders: string[];
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthHttp {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+
+        /**
+         * HTTPAuthConfig contains configuration for communication with HTTP-speaking
+         * backends.
+         *
+         * If unset, implementations must assume the default behavior for each
+         * included field is intended.
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthHttpPatch {
+            /**
+             * AllowedRequestHeaders specifies what additional headers from the client request
+             * will be sent to the authorization server.
+             *
+             * The following headers must always be sent to the authorization server,
+             * regardless of this setting:
+             *
+             * * `Host`
+             * * `Method`
+             * * `Path`
+             * * `Content-Length`
+             * * `Authorization`
+             *
+             * If this list is empty, then only those headers must be sent.
+             *
+             * Note that `Content-Length` has a special behavior, in that the length
+             * sent must be correct for the actual request to the external authorization
+             * server - that is, it must reflect the actual number of bytes sent in the
+             * body of the request to the authorization server.
+             *
+             * So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+             * to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+             * to anything other than `0`, then the `Content-Length` of the authorization
+             * request must be set to the actual number of bytes forwarded.
+             */
+            allowedHeaders: string[];
+            /**
+             * AllowedResponseHeaders specifies what headers from the authorization response
+             * will be copied into the request to the backend.
+             *
+             * If this list is empty, then all headers from the authorization server
+             * except Authority or Host must be copied.
+             */
+            allowedResponseHeaders: string[];
+            /**
+             * Path sets the prefix that paths from the client request will have added
+             * when forwarded to the authorization server.
+             *
+             * When empty or unspecified, no prefix is added.
+             *
+             * Valid values are the same as the "value" regex for path values in the `match`
+             * stanza, and the validation regex will screen out invalid paths in the same way.
+             * Even with the validation, implementations MUST sanitize this input before using it
+             * directly.
+             */
+            path: string;
+        }
+
+        /**
+         * ExternalAuth configures settings related to sending request details
+         * to an external auth service. The external service MUST authenticate
+         * the request, and MAY authorize the request as well.
+         *
+         * If there is any problem communicating with the external service,
+         * this filter MUST fail closed.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersExternalAuthPatch {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthBackendRefPatch;
+            forwardBody: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthForwardBodyPatch;
+            grpc: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthGrpcPatch;
+            http: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthHttpPatch;
+            /**
+             * ExternalAuthProtocol describes which protocol to use when communicating with an
+             * ext_authz authorization server.
+             *
+             * When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+             * on the port specified in `backendRefs`. Requests and responses are defined
+             * in the protobufs explained at:
+             * https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+             *
+             * When this is set to HTTP, each backend must respond with a `200` status
+             * code in on a successful authorization. Any other code is considered
+             * an authorization failure.
+             *
+             * Feature Names:
+             * GRPC Support - HTTPRouteExternalAuthGRPC
+             * HTTP Support - HTTPRouteExternalAuthHTTP
+             */
+            protocol: string;
+        }
+
+        /**
+         * HTTPRouteFilter defines processing steps that must be completed during the
+         * request or response lifecycle. HTTPRouteFilters are meant as an extension
+         * point to express processing that may be done in Gateway implementations. Some
+         * examples include request or response modification, implementing
+         * authentication strategies, rate-limiting, and traffic shaping. API
+         * guarantee/conformance is defined based on the type of the filter.
+         */
+        export interface HTTPRouteSpecRulesFiltersPatch {
+            cors: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersCorsPatch;
+            extensionRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExtensionRefPatch;
+            externalAuth: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersExternalAuthPatch;
+            requestHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch;
+            requestMirror: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorPatch;
+            requestRedirect: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPatch;
+            responseHeaderModifier: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch;
+            /**
+             * Type identifies the type of filter to apply. As with other API fields,
+             * types are classified into three conformance levels:
+             *
+             * - Core: Filter types and their corresponding configuration defined by
+             *   "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+             *   implementations must support core filters.
+             *
+             * - Extended: Filter types and their corresponding configuration defined by
+             *   "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+             *   are encouraged to support extended filters.
+             *
+             * - Implementation-specific: Filters that are defined and supported by
+             *   specific vendors.
+             *   In the future, filters showing convergence in behavior across multiple
+             *   implementations will be considered for inclusion in extended or core
+             *   conformance levels. Filter-specific configuration for such filters
+             *   is specified using the ExtensionRef field. `Type` should be set to
+             *   "ExtensionRef" for custom filters.
+             *
+             * Implementers are encouraged to define custom implementation types to
+             * extend the core API with implementation-specific behavior.
+             *
+             * If a reference to a custom filter type cannot be resolved, the filter
+             * MUST NOT be skipped. Instead, requests that would have been processed by
+             * that filter MUST receive a HTTP error response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+            urlRewrite: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePatch;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestHeaderModifier defines a schema for a filter that modifies request
+         * headers.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirror {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRef;
+            fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFraction;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRef {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * BackendRef references a resource where mirrored requests are sent.
+         *
+         * Mirrored requests must be sent only to a single destination endpoint
+         * within this BackendRef, irrespective of how many endpoints are present
+         * within this BackendRef.
+         *
+         * If the referent cannot be found, this BackendRef is invalid and must be
+         * dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+         * condition on the Route status is set to `status: False` and not configure
+         * this backend in the underlying implementation.
+         *
+         * If there is a cross-namespace reference to an *existing* object
+         * that is not allowed by a ReferenceGrant, the controller must ensure the
+         * "ResolvedRefs"  condition on the Route is set to `status: False`,
+         * with the "RefNotPermitted" reason and not configure this backend in the
+         * underlying implementation.
+         *
+         * In either error case, the Message of the `ResolvedRefs` Condition
+         * should be used to provide more detail about the problem.
+         *
+         * Support: Extended for Kubernetes Service
+         *
+         * Support: Implementation-specific for any other resource
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch {
+            /**
+             * Group is the group of the referent. For example, "gateway.networking.k8s.io".
+             * When unspecified or empty string, core API group is inferred.
+             */
+            group: string;
+            /**
+             * Kind is the Kubernetes resource kind of the referent. For example
+             * "Service".
+             *
+             * Defaults to "Service" when not specified.
+             *
+             * ExternalName services can refer to CNAME DNS records that may live
+             * outside of the cluster and as such are difficult to reason about in
+             * terms of conformance. They also may not be safe to forward to (see
+             * CVE-2021-25740 for more information). Implementations SHOULD NOT
+             * support ExternalName Services.
+             *
+             * Support: Core (Services with a type other than ExternalName)
+             *
+             * Support: Implementation-specific (Services with type ExternalName)
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the backend. When unspecified, the local
+             * namespace is inferred.
+             *
+             * Note that when a namespace different than the local namespace is specified,
+             * a ReferenceGrant object is required in the referent namespace to allow that
+             * namespace's owner to accept the reference. See the ReferenceGrant
+             * documentation for details.
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port specifies the destination port number to use for this resource.
+             * Port is required when the referent is a Kubernetes Service. In this
+             * case, the port number is the service port number, not the target port.
+             * For other resources, destination port might be derived from the referent
+             * resource or this field.
+             */
+            port: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorFraction {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * Fraction represents the fraction of requests that should be
+         * mirrored to BackendRef.
+         *
+         * Only one of Fraction or Percent may be specified. If neither field
+         * is specified, 100% of requests will be mirrored.
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch {
+            denominator: number;
+            numerator: number;
+        }
+
+        /**
+         * RequestMirror defines a schema for a filter that mirrors requests.
+         * Requests are sent to the specified destination, but responses from
+         * that destination are ignored.
+         *
+         * This filter can be used multiple times within the same rule. Note that
+         * not all implementations will be able to support mirroring to multiple
+         * backends.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestMirrorPatch {
+            backendRef: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorBackendRefPatch;
+            fraction: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestMirrorFractionPatch;
+            /**
+             * Percent represents the percentage of requests that should be
+             * mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+             * requests) and its maximum value is 100 (indicating 100% of requests).
+             *
+             * Only one of Fraction or Percent may be specified. If neither field
+             * is specified, 100% of requests will be mirrored.
+             */
+            percent: number;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirect {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPath;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+
+        /**
+         * RequestRedirect defines a schema for a filter that responds to the
+         * request with an HTTP redirection.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPatch {
+            /**
+             * Hostname is the hostname to be used in the value of the `Location`
+             * header in the response.
+             * When empty, the hostname in the `Host` header of the request is used.
+             *
+             * Support: Core
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersRequestRedirectPathPatch;
+            /**
+             * Port is the port to be used in the value of the `Location`
+             * header in the response.
+             *
+             * If no port is specified, the redirect port MUST be derived using the
+             * following rules:
+             *
+             * * If redirect scheme is not-empty, the redirect port MUST be the well-known
+             *   port associated with the redirect scheme. Specifically "http" to port 80
+             *   and "https" to port 443. If the redirect scheme does not have a
+             *   well-known port, the listener port of the Gateway SHOULD be used.
+             * * If redirect scheme is empty, the redirect port MUST be the Gateway
+             *   Listener port.
+             *
+             * Implementations SHOULD NOT add the port number in the 'Location'
+             * header in the following cases:
+             *
+             * * A Location header that will use HTTP (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 80.
+             * * A Location header that will use HTTPS (whether that is determined via
+             *   the Listener protocol or the Scheme field) _and_ use port 443.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * Scheme is the scheme to be used in the value of the `Location` header in
+             * the response. When empty, the scheme of the request is used.
+             *
+             * Scheme redirects can affect the port of the redirect, for more information,
+             * refer to the documentation for the port field of this filter.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Extended
+             */
+            scheme: string;
+            /**
+             * StatusCode is the HTTP status code to be used in response.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             *
+             * Support: Core
+             */
+            statusCode: number;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * Path defines parameters used to modify the path of the incoming request.
+         * The modified path is then used to construct the `Location` header. When
+         * empty, the request path is used as-is.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersRequestRedirectPathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifier {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSet[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAdd {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * ResponseHeaderModifier defines a schema for a filter that modifies response
+         * headers.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierPatch {
+            /**
+             * Add adds the given header(s) (name, value) to the request
+             * before the action. It appends to any existing values associated
+             * with the header name.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   add:
+             *   - name: "my-header"
+             *     value: "bar,baz"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo,bar,baz
+             */
+            add: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierAddPatch[];
+            /**
+             * Remove the given header(s) from the HTTP request before the action. The
+             * value of Remove is a list of HTTP header names. Note that the header
+             * names are case-insensitive (see
+             * https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header1: foo
+             *   my-header2: bar
+             *   my-header3: baz
+             *
+             * Config:
+             *   remove: ["my-header1", "my-header3"]
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header2: bar
+             */
+            remove: string[];
+            /**
+             * Set overwrites the request with the given header (name, value)
+             * before the action.
+             *
+             * Input:
+             *   GET /foo HTTP/1.1
+             *   my-header: foo
+             *
+             * Config:
+             *   set:
+             *   - name: "my-header"
+             *     value: "bar"
+             *
+             * Output:
+             *   GET /foo HTTP/1.1
+             *   my-header: bar
+             */
+            set: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch[];
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSet {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.
+         */
+        export interface HTTPRouteSpecRulesFiltersResponseHeaderModifierSetPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, the first entry with
+             * an equivalent name MUST be considered for a match. Subsequent entries
+             * with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             */
+            name: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewrite {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePath;
+        }
+
+        /**
+         * URLRewrite defines a schema for a filter that modifies a request during forwarding.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePatch {
+            /**
+             * Hostname is the value to be used to replace the Host header value during
+             * forwarding.
+             *
+             * Support: Extended
+             */
+            hostname: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersUrlRewritePathPatch;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePath {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * Path defines a path rewrite.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesFiltersUrlRewritePathPatch {
+            /**
+             * ReplaceFullPath specifies the value with which to replace the full path
+             * of a request during a rewrite or redirect.
+             */
+            replaceFullPath: string;
+            /**
+             * ReplacePrefixMatch specifies the value with which to replace the prefix
+             * match of a request during a rewrite or redirect. For example, a request
+             * to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+             * of "/xyz" would be modified to "/xyz/bar".
+             *
+             * Note that this matches the behavior of the PathPrefix match type. This
+             * matches full path elements. A path element refers to the list of labels
+             * in the path split by the `/` separator. When specified, a trailing `/` is
+             * ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+             * match the prefix `/abc`, but the path `/abcd` would not.
+             *
+             * ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+             * Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+             * the implementation setting the Accepted Condition for the Route to `status: False`.
+             *
+             * Request Path | Prefix Match | Replace Prefix | Modified Path
+             */
+            replacePrefixMatch: string;
+            /**
+             * Type defines the type of path modifier. Additional types may be
+             * added in a future release of the API.
+             *
+             * Note that values may be added to this enum, implementations
+             * must ensure that unknown values will not cause a crash.
+             *
+             * Unknown values here must result in the implementation setting the
+             * Accepted Condition for the Route to `status: False`, with a
+             * Reason of `UnsupportedValue`.
+             */
+            type: string;
+        }
+
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        export interface HTTPRouteSpecRulesMatches {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesHeaders[];
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPath;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParams[];
+        }
+
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        export interface HTTPRouteSpecRulesMatchesHeaders {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+         * headers.
+         */
+        export interface HTTPRouteSpecRulesMatchesHeadersPatch {
+            /**
+             * Name is the name of the HTTP Header to be matched. Name matching MUST be
+             * case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+             *
+             * If multiple entries specify equivalent header names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent header name MUST be ignored. Due to the
+             * case-insensitivity of header names, "foo" and "Foo" are considered
+             * equivalent.
+             *
+             * When a header is repeated in an HTTP request, it is
+             * implementation-specific behavior as to how this is represented.
+             * Generally, proxies should follow the guidance from the RFC:
+             * https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+             * processing a repeated header, with special handling for "Set-Cookie".
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the header.
+             *
+             * Support: Core (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression HeaderMatchType has implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other dialects
+             * of regular expressions. Please read the implementation's documentation to
+             * determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP Header to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPRouteMatch defines the predicate used to match requests to a given
+         * action. Multiple match types are ANDed together, i.e. the match will
+         * evaluate to true only if all conditions are satisfied.
+         *
+         * For example, the match below will match a HTTP request only if its path
+         * starts with `/foo` AND it contains the `version: v1` header:
+         *
+         * ```
+         * match:
+         *
+         * 	path:
+         * 	  value: "/foo"
+         * 	headers:
+         * 	- name: "version"
+         * 	  value "v1"
+         *
+         * ```
+         */
+        export interface HTTPRouteSpecRulesMatchesPatch {
+            /**
+             * Headers specifies HTTP request header matchers. Multiple match values are
+             * ANDed together, meaning, a request must match all the specified headers
+             * to select the route.
+             */
+            headers: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesHeadersPatch[];
+            /**
+             * Method specifies HTTP method matcher.
+             * When specified, this route will be matched only if the request has the
+             * specified method.
+             *
+             * Support: Extended
+             */
+            method: string;
+            path: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPathPatch;
+            /**
+             * QueryParams specifies HTTP query parameter matchers. Multiple match
+             * values are ANDed together, meaning, a request must match all the
+             * specified query parameters to select the route.
+             *
+             * Support: Extended
+             */
+            queryParams: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesQueryParamsPatch[];
+        }
+
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        export interface HTTPRouteSpecRulesMatchesPath {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value: string;
+        }
+
+        /**
+         * Path specifies a HTTP request path matcher. If this field is not
+         * specified, a default prefix match on the "/" path is provided.
+         */
+        export interface HTTPRouteSpecRulesMatchesPathPatch {
+            /**
+             * Type specifies how to match against the path Value.
+             *
+             * Support: Core (Exact, PathPrefix)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             */
+            type: string;
+            /**
+             * Value of the HTTP path to match against.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        export interface HTTPRouteSpecRulesMatchesQueryParams {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+         * query parameters.
+         */
+        export interface HTTPRouteSpecRulesMatchesQueryParamsPatch {
+            /**
+             * Name is the name of the HTTP query param to be matched. This must be an
+             * exact string match. (See
+             * https://tools.ietf.org/html/rfc7230#section-2.7.3).
+             *
+             * If multiple entries specify equivalent query param names, only the first
+             * entry with an equivalent name MUST be considered for a match. Subsequent
+             * entries with an equivalent query param name MUST be ignored.
+             *
+             * If a query param is repeated in an HTTP request, the behavior is
+             * purposely left undefined, since different data planes have different
+             * capabilities. However, it is *recommended* that implementations should
+             * match against the first value of the param if the data plane supports it,
+             * as this behavior is expected in other load balancing contexts outside of
+             * the Gateway API.
+             *
+             * Users SHOULD NOT route traffic based on repeated query params to guard
+             * themselves against potential differences in the implementations.
+             */
+            name: string;
+            /**
+             * Type specifies how to match against the value of the query parameter.
+             *
+             * Support: Extended (Exact)
+             *
+             * Support: Implementation-specific (RegularExpression)
+             *
+             * Since RegularExpression QueryParamMatchType has Implementation-specific
+             * conformance, implementations can support POSIX, PCRE or any other
+             * dialects of regular expressions. Please read the implementation's
+             * documentation to determine the supported dialect.
+             */
+            type: string;
+            /**
+             * Value is the value of HTTP query param to be matched.
+             */
+            value: string;
+        }
+
+        /**
+         * HTTPRouteRule defines semantics for matching an HTTP request based on
+         * conditions (matches), processing it (filters), and forwarding the request to
+         * an API object (backendRefs).
+         */
+        export interface HTTPRouteSpecRulesPatch {
+            /**
+             * BackendRefs defines the backend(s) where matching requests should be
+             * sent.
+             *
+             * Failure behavior here depends on how many BackendRefs are specified and
+             * how many are invalid.
+             *
+             * If *all* entries in BackendRefs are invalid, and there are also no filters
+             * specified in this route rule, *all* traffic which matches this rule MUST
+             * receive a 500 status code.
+             *
+             * See the HTTPBackendRef definition for the rules about what makes a single
+             * HTTPBackendRef invalid.
+             *
+             * When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+             * requests that would have otherwise been routed to an invalid backend. If
+             * multiple backends are specified, and some are invalid, the proportion of
+             * requests that would otherwise have been routed to an invalid backend
+             * MUST receive a 500 status code.
+             *
+             * For example, if two backends are specified with equal weights, and one is
+             * invalid, 50 percent of traffic must receive a 500. Implementations may
+             * choose how that 50 percent is determined.
+             *
+             * When a HTTPBackendRef refers to a Service that has no ready endpoints,
+             * implementations SHOULD return a 503 for requests to that backend instead.
+             * If an implementation chooses to do this, all of the above rules for 500 responses
+             * MUST also apply for responses that return a 503.
+             *
+             * Support: Core for Kubernetes Service
+             *
+             * Support: Extended for Kubernetes ServiceImport
+             *
+             * Support: Implementation-specific for any other resource
+             *
+             * Support for weight: Core
+             */
+            backendRefs: outputs.gateway.v1beta1.HTTPRouteSpecRulesBackendRefsPatch[];
+            /**
+             * Filters define the filters that are applied to requests that match
+             * this rule.
+             *
+             * Wherever possible, implementations SHOULD implement filters in the order
+             * they are specified.
+             *
+             * Implementations MAY choose to implement this ordering strictly, rejecting
+             * any combination or order of filters that cannot be supported. If implementations
+             * choose a strict interpretation of filter ordering, they MUST clearly document
+             * that behavior.
+             *
+             * To reject an invalid combination or order of filters, implementations SHOULD
+             * consider the Route Rules with this configuration invalid. If all Route Rules
+             * in a Route are invalid, the entire Route would be considered invalid. If only
+             * a portion of Route Rules are invalid, implementations MUST set the
+             * "PartiallyInvalid" condition for the Route.
+             *
+             * Conformance-levels at this level are defined based on the type of filter:
+             *
+             * - ALL core filters MUST be supported by all implementations.
+             * - Implementers are encouraged to support extended filters.
+             * - Implementation-specific custom filters have no API guarantees across
+             *   implementations.
+             *
+             * Specifying the same filter multiple times is not supported unless explicitly
+             * indicated in the filter.
+             *
+             * All filters are expected to be compatible with each other except for the
+             * URLRewrite and RequestRedirect filters, which may not be combined. If an
+             * implementation cannot support other combinations of filters, they must clearly
+             * document that limitation. In cases where incompatible or unsupported
+             * filters are specified and cause the `Accepted` condition to be set to status
+             * `False`, implementations may use the `IncompatibleFilters` reason to specify
+             * this configuration error.
+             *
+             * Support: Core
+             */
+            filters: outputs.gateway.v1beta1.HTTPRouteSpecRulesFiltersPatch[];
+            /**
+             * Matches define conditions used for matching the rule against incoming
+             * HTTP requests. Each match is independent, i.e. this rule will be matched
+             * if **any** one of the matches is satisfied.
+             *
+             * For example, take the following matches configuration:
+             *
+             * ```
+             * matches:
+             * - path:
+             *     value: "/foo"
+             *   headers:
+             *   - name: "version"
+             *     value: "v2"
+             * - path:
+             *     value: "/v2/foo"
+             * ```
+             *
+             * For a request to match against this rule, a request must satisfy
+             * EITHER of the two conditions:
+             *
+             * - path prefixed with `/foo` AND contains the header `version: v2`
+             * - path prefix of `/v2/foo`
+             *
+             * See the documentation for HTTPRouteMatch on how to specify multiple
+             * match conditions that should be ANDed together.
+             *
+             * If no matches are specified, the default is a prefix
+             * path match on "/", which has the effect of matching every
+             * HTTP request.
+             *
+             * Proxy or Load Balancer routing configuration generated from HTTPRoutes
+             * MUST prioritize matches based on the following criteria, continuing on
+             * ties. Across all rules specified on applicable Routes, precedence must be
+             * given to the match having:
+             *
+             * * "Exact" path match.
+             * * "Prefix" path match with largest number of characters.
+             * * Method match.
+             * * Largest number of header matches.
+             * * Largest number of query param matches.
+             *
+             * Note: The precedence of RegularExpression path matches are implementation-specific.
+             *
+             * If ties still exist across multiple Routes, matching precedence MUST be
+             * determined in order of the following criteria, continuing on ties:
+             *
+             * * The oldest Route based on creation timestamp.
+             * * The Route appearing first in alphabetical order by
+             *   "{namespace}/{name}".
+             *
+             * If ties still exist within an HTTPRoute, matching precedence MUST be granted
+             * to the FIRST matching rule (in list order) with a match meeting the above
+             * criteria.
+             *
+             * When no rules matching a request have been successfully attached to the
+             * parent a request is coming from, a HTTP 404 status code MUST be returned.
+             */
+            matches: outputs.gateway.v1beta1.HTTPRouteSpecRulesMatchesPatch[];
+            /**
+             * Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+             *
+             * Support: Extended
+             */
+            name: string;
+            retry: outputs.gateway.v1beta1.HTTPRouteSpecRulesRetryPatch;
+            sessionPersistence: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistencePatch;
+            timeouts: outputs.gateway.v1beta1.HTTPRouteSpecRulesTimeoutsPatch;
+        }
+
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesRetry {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts: number;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff: string;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes: number[];
+        }
+
+        /**
+         * Retry defines the configuration for when to retry an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesRetryPatch {
+            /**
+             * Attempts specifies the maximum number of times an individual request
+             * from the gateway to a backend should be retried.
+             *
+             * If the maximum number of retries has been attempted without a successful
+             * response from the backend, the Gateway MUST return an error.
+             *
+             * When this field is unspecified, the number of times to attempt to retry
+             * a backend request is implementation-specific.
+             *
+             * Support: Extended
+             */
+            attempts: number;
+            /**
+             * Backoff specifies the minimum duration a Gateway should wait between
+             * retry attempts and is represented in Gateway API Duration formatting.
+             *
+             * For example, setting the `rules[].retry.backoff` field to the value
+             * `100ms` will cause a backend request to first be retried approximately
+             * 100 milliseconds after timing out or receiving a response code configured
+             * to be retryable.
+             *
+             * An implementation MAY use an exponential or alternative backoff strategy
+             * for subsequent retry attempts, MAY cap the maximum backoff duration to
+             * some amount greater than the specified minimum, and MAY add arbitrary
+             * jitter to stagger requests, as long as unsuccessful backend requests are
+             * not retried before the configured minimum duration.
+             *
+             * If a Request timeout (`rules[].timeouts.request`) is configured on the
+             * route, the entire duration of the initial request and any retry attempts
+             * MUST not exceed the Request timeout duration. If any retry attempts are
+             * still in progress when the Request timeout duration has been reached,
+             * these SHOULD be canceled if possible and the Gateway MUST immediately
+             * return a timeout error.
+             *
+             * If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+             * configured on the route, any retry attempts which reach the configured
+             * BackendRequest timeout duration without a response SHOULD be canceled if
+             * possible and the Gateway should wait for at least the specified backoff
+             * duration before attempting to retry the backend request again.
+             *
+             * If a BackendRequest timeout is _not_ configured on the route, retry
+             * attempts MAY time out after an implementation default duration, or MAY
+             * remain pending until a configured Request timeout or implementation
+             * default duration for total request time is reached.
+             *
+             * When this field is unspecified, the time to wait between retry attempts
+             * is implementation-specific.
+             *
+             * Support: Extended
+             */
+            backoff: string;
+            /**
+             * Codes defines the HTTP response status codes for which a backend request
+             * should be retried.
+             *
+             * Support: Extended
+             */
+            codes: number[];
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesSessionPersistence {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistenceCookieConfig;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesSessionPersistenceCookieConfig {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+
+        /**
+         * CookieConfig provides configuration settings that are specific
+         * to cookie-based session persistence.
+         *
+         * Support: Core
+         */
+        export interface HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch {
+            /**
+             * LifetimeType specifies whether the cookie has a permanent or
+             * session-based lifetime. A permanent cookie persists until its
+             * specified expiry time, defined by the Expires or Max-Age cookie
+             * attributes, while a session cookie is deleted when the current
+             * session ends.
+             *
+             * When set to "Permanent", AbsoluteTimeout indicates the
+             * cookie's lifetime via the Expires or Max-Age cookie attributes
+             * and is required.
+             *
+             * When set to "Session", AbsoluteTimeout indicates the
+             * absolute lifetime of the cookie tracked by the gateway and
+             * is optional.
+             *
+             * Defaults to "Session".
+             *
+             * Support: Core for "Session" type
+             *
+             * Support: Extended for "Permanent" type
+             */
+            lifetimeType: string;
+        }
+
+        /**
+         * SessionPersistence defines and configures session persistence
+         * for the route rule.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesSessionPersistencePatch {
+            /**
+             * AbsoluteTimeout defines the absolute timeout of the persistent
+             * session. Once the AbsoluteTimeout duration has elapsed, the
+             * session becomes invalid.
+             *
+             * Support: Extended
+             */
+            absoluteTimeout: string;
+            cookieConfig: outputs.gateway.v1beta1.HTTPRouteSpecRulesSessionPersistenceCookieConfigPatch;
+            /**
+             * IdleTimeout defines the idle timeout of the persistent session.
+             * Once the session has been idle for more than the specified
+             * IdleTimeout duration, the session becomes invalid.
+             *
+             * Support: Extended
+             */
+            idleTimeout: string;
+            /**
+             * SessionName defines the name of the persistent session token
+             * which may be reflected in the cookie or the header. Users
+             * should avoid reusing session names to prevent unintended
+             * consequences, such as rejection or unpredictable behavior.
+             *
+             * Support: Implementation-specific
+             */
+            sessionName: string;
+            /**
+             * Type defines the type of session persistence such as through
+             * the use a header or cookie. Defaults to cookie based session
+             * persistence.
+             *
+             * Support: Core for "Cookie" type
+             *
+             * Support: Extended for "Header" type
+             */
+            type: string;
+        }
+
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesTimeouts {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest: string;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request: string;
+        }
+
+        /**
+         * Timeouts defines the timeouts that can be configured for an HTTP request.
+         *
+         * Support: Extended
+         */
+        export interface HTTPRouteSpecRulesTimeoutsPatch {
+            /**
+             * BackendRequest specifies a timeout for an individual request from the gateway
+             * to a backend. This covers the time from when the request first starts being
+             * sent from the gateway to when the full response has been received from the backend.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * An entire client HTTP transaction with a gateway, covered by the Request timeout,
+             * may result in more than one call from the gateway to the destination backend,
+             * for example, if automatic retries are supported.
+             *
+             * The value of BackendRequest must be a Gateway API Duration string as defined by
+             * GEP-2257.  When this field is unspecified, its behavior is implementation-specific;
+             * when specified, the value of BackendRequest must be no more than the value of the
+             * Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+             *
+             * Support: Extended
+             */
+            backendRequest: string;
+            /**
+             * Request specifies the maximum duration for a gateway to respond to an HTTP request.
+             * If the gateway has not been able to respond before this deadline is met, the gateway
+             * MUST return a timeout error.
+             *
+             * For example, setting the `rules.timeouts.request` field to the value `10s` in an
+             * `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+             * to complete.
+             *
+             * Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+             * completely. Implementations that cannot completely disable the timeout MUST
+             * instead interpret the zero duration as the longest possible value to which
+             * the timeout can be set.
+             *
+             * This timeout is intended to cover as close to the whole request-response transaction
+             * as possible although an implementation MAY choose to start the timeout after the entire
+             * request stream has been received instead of immediately after the transaction is
+             * initiated by the client.
+             *
+             * The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+             * field is unspecified, request timeout behavior is implementation-specific.
+             *
+             * Support: Extended
+             */
+            request: string;
+        }
+
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        export interface HTTPRouteStatus {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1beta1.HTTPRouteStatusParents[];
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface HTTPRouteStatusParents {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1beta1.HTTPRouteStatusParentsConditions[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1beta1.HTTPRouteStatusParentsParentRef;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface HTTPRouteStatusParentsConditions {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * Condition contains details for one aspect of the current state of this API Resource.
+         */
+        export interface HTTPRouteStatusParentsConditionsPatch {
+            /**
+             * lastTransitionTime is the last time the condition transitioned from one status to another.
+             * This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+             */
+            lastTransitionTime: string;
+            /**
+             * message is a human readable message indicating details about the transition.
+             * This may be an empty string.
+             */
+            message: string;
+            /**
+             * observedGeneration represents the .metadata.generation that the condition was set based upon.
+             * For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+             * with respect to the current state of the instance.
+             */
+            observedGeneration: number;
+            /**
+             * reason contains a programmatic identifier indicating the reason for the condition's last transition.
+             * Producers of specific condition types may define expected values and meanings for this field,
+             * and whether the values are considered a guaranteed API.
+             * The value should be a CamelCase string.
+             * This field may not be empty.
+             */
+            reason: string;
+            /**
+             * status of the condition, one of True, False, Unknown.
+             */
+            status: string;
+            /**
+             * type of condition in CamelCase or in foo.example.com/CamelCase.
+             */
+            type: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface HTTPRouteStatusParentsParentRef {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * ParentRef corresponds with a ParentRef in the spec that this
+         * RouteParentStatus struct describes the status of.
+         */
+        export interface HTTPRouteStatusParentsParentRefPatch {
+            /**
+             * Group is the group of the referent.
+             * When unspecified, "gateway.networking.k8s.io" is inferred.
+             * To set the core API group (such as for a "Service" kind referent),
+             * Group must be explicitly set to "" (empty string).
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is kind of the referent.
+             *
+             * There are two kinds of parent resources with "Core" support:
+             *
+             * * Gateway (Gateway conformance profile)
+             * * Service (Mesh conformance profile, ClusterIP Services only)
+             *
+             * Support for other resources is Implementation-Specific.
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent.
+             *
+             * Support: Core
+             */
+            name: string;
+            /**
+             * Namespace is the namespace of the referent. When unspecified, this refers
+             * to the local namespace of the Route.
+             *
+             * Note that there are specific rules for ParentRefs which cross namespace
+             * boundaries. Cross-namespace references are only valid if they are explicitly
+             * allowed by something in the namespace they are referring to. For example:
+             * Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+             * generic way to enable any other kind of cross-namespace reference.
+             *
+             *
+             * ParentRefs from a Route to a Service in the same namespace are "producer"
+             * routes, which apply default routing rules to inbound connections from
+             * any namespace to the Service.
+             *
+             * ParentRefs from a Route to a Service in a different namespace are
+             * "consumer" routes, and these routing rules are only applied to outbound
+             * connections originating from the same namespace as the Route, for which
+             * the intended destination of the connections are a Service targeted as a
+             * ParentRef of the Route.
+             *
+             *
+             * Support: Core
+             */
+            namespace: string;
+            /**
+             * Port is the network port this Route targets. It can be interpreted
+             * differently based on the type of parent resource.
+             *
+             * When the parent resource is a Gateway, this targets all listeners
+             * listening on the specified port that also support this kind of Route(and
+             * select this Route). It's not recommended to set `Port` unless the
+             * networking behaviors specified in a Route must apply to a specific port
+             * as opposed to a listener(s) whose port(s) may be changed. When both Port
+             * and SectionName are specified, the name and port of the selected listener
+             * must match both specified values.
+             *
+             *
+             * When the parent resource is a Service, this targets a specific port in the
+             * Service spec. When both Port (experimental) and SectionName are specified,
+             * the name and port of the selected port must match both specified values.
+             *
+             *
+             * Implementations MAY choose to support other parent resources.
+             * Implementations supporting other types of parent resources MUST clearly
+             * document how/if Port is interpreted.
+             *
+             * For the purpose of status, an attachment is considered successful as
+             * long as the parent resource accepts it partially. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+             * from the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route,
+             * the Route MUST be considered detached from the Gateway.
+             *
+             * Support: Extended
+             */
+            port: number;
+            /**
+             * SectionName is the name of a section within the target resource. In the
+             * following resources, SectionName is interpreted as the following:
+             *
+             * * Gateway: Listener name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             * * Service: Port name. When both Port (experimental) and SectionName
+             * are specified, the name and port of the selected listener must match
+             * both specified values.
+             *
+             * Implementations MAY choose to support attaching Routes to other resources.
+             * If that is the case, they MUST clearly document how SectionName is
+             * interpreted.
+             *
+             * When unspecified (empty string), this will reference the entire resource.
+             * For the purpose of status, an attachment is considered successful if at
+             * least one section in the parent resource accepts it. For example, Gateway
+             * listeners can restrict which Routes can attach to them by Route kind,
+             * namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+             * the referencing Route, the Route MUST be considered successfully
+             * attached. If no Gateway listeners accept attachment from this Route, the
+             * Route MUST be considered detached from the Gateway.
+             *
+             * Support: Core
+             */
+            sectionName: string;
+        }
+
+        /**
+         * RouteParentStatus describes the status of a route with respect to an
+         * associated Parent.
+         */
+        export interface HTTPRouteStatusParentsPatch {
+            /**
+             * Conditions describes the status of the route with respect to the Gateway.
+             * Note that the route's availability is also subject to the Gateway's own
+             * status conditions and listener status.
+             *
+             * If the Route's ParentRef specifies an existing Gateway that supports
+             * Routes of this kind AND that Gateway's controller has sufficient access,
+             * then that Gateway's controller MUST set the "Accepted" condition on the
+             * Route, to indicate whether the route has been accepted or rejected by the
+             * Gateway, and why.
+             *
+             * A Route MUST be considered "Accepted" if at least one of the Route's
+             * rules is implemented by the Gateway.
+             *
+             * There are a number of cases where the "Accepted" condition may not be set
+             * due to lack of controller visibility, that includes when:
+             *
+             * * The Route refers to a nonexistent parent.
+             * * The Route is of a type that the controller does not support.
+             * * The Route is in a namespace the controller does not have access to.
+             */
+            conditions: outputs.gateway.v1beta1.HTTPRouteStatusParentsConditionsPatch[];
+            /**
+             * ControllerName is a domain/path string that indicates the name of the
+             * controller that wrote this status. This corresponds with the
+             * controllerName field on GatewayClass.
+             *
+             * Example: "example.net/gateway-controller".
+             *
+             * The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+             * valid Kubernetes names
+             * (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+             *
+             * Controllers MUST populate this field when writing status. Controllers should ensure that
+             * entries to status populated with their ControllerName are cleaned up when they are no
+             * longer necessary.
+             */
+            controllerName: string;
+            parentRef: outputs.gateway.v1beta1.HTTPRouteStatusParentsParentRefPatch;
+        }
+
+        /**
+         * Status defines the current state of HTTPRoute.
+         */
+        export interface HTTPRouteStatusPatch {
+            /**
+             * Parents is a list of parent resources (usually Gateways) that are
+             * associated with the route, and the status of the route with respect to
+             * each parent. When this route attaches to a parent, the controller that
+             * manages the parent must add an entry to this list when the controller
+             * first sees the route and should update the entry as appropriate when the
+             * route or gateway is modified.
+             *
+             * Note that parent references that cannot be resolved by an implementation
+             * of this API will not be added to this list. Implementations of this API
+             * can only populate Route status for the Gateways/parent resources they are
+             * responsible for.
+             *
+             * A maximum of 32 Gateways will be represented in this list. An empty list
+             * means the route has not been attached to any Gateway.
+             */
+            parents: outputs.gateway.v1beta1.HTTPRouteStatusParentsPatch[];
+        }
+
+        /**
+         * ReferenceGrant identifies kinds of resources in other namespaces that are
+         * trusted to reference the specified kinds of resources in the same namespace
+         * as the policy.
+         *
+         * Each ReferenceGrant can be used to represent a unique trust relationship.
+         * Additional Reference Grants can be used to add to the set of trusted
+         * sources of inbound references for the namespace they are defined within.
+         *
+         * All cross-namespace references in Gateway API (with the exception of cross-namespace
+         * Gateway-route attachment) require a ReferenceGrant.
+         *
+         * ReferenceGrant is a form of runtime verification allowing users to assert
+         * which cross-namespace object references are permitted. Implementations that
+         * support ReferenceGrant MUST NOT permit cross-namespace references which have
+         * no grant, and MUST respond to the removal of a grant by revoking the access
+         * that the grant allowed.
+         */
+        export interface ReferenceGrant {
+            /**
+             * APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+             */
+            apiVersion: "gateway.networking.k8s.io/v1beta1";
+            /**
+             * Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: "ReferenceGrant";
+            /**
+             * Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            metadata: outputs.meta.v1.ObjectMeta;
+            spec: outputs.gateway.v1beta1.ReferenceGrantSpec;
+        }
+
+        /**
+         * Spec defines the desired state of ReferenceGrant.
+         */
+        export interface ReferenceGrantSpec {
+            /**
+             * From describes the trusted namespaces and kinds that can reference the
+             * resources described in "To". Each entry in this list MUST be considered
+             * to be an additional place that references can be valid from, or to put
+             * this another way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            from: outputs.gateway.v1beta1.ReferenceGrantSpecFrom[];
+            /**
+             * To describes the resources that may be referenced by the resources
+             * described in "From". Each entry in this list MUST be considered to be an
+             * additional place that references can be valid to, or to put this another
+             * way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            to: outputs.gateway.v1beta1.ReferenceGrantSpecTo[];
+        }
+
+        /**
+         * ReferenceGrantFrom describes trusted namespaces and kinds.
+         */
+        export interface ReferenceGrantSpecFrom {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field.
+             *
+             * When used to permit a SecretObjectReference:
+             *
+             * * Gateway
+             *
+             * When used to permit a BackendObjectReference:
+             *
+             * * GRPCRoute
+             * * HTTPRoute
+             * * TCPRoute
+             * * TLSRoute
+             * * UDPRoute
+             */
+            kind: string;
+            /**
+             * Namespace is the namespace of the referent.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * ReferenceGrantFrom describes trusted namespaces and kinds.
+         */
+        export interface ReferenceGrantSpecFromPatch {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field.
+             *
+             * When used to permit a SecretObjectReference:
+             *
+             * * Gateway
+             *
+             * When used to permit a BackendObjectReference:
+             *
+             * * GRPCRoute
+             * * HTTPRoute
+             * * TCPRoute
+             * * TLSRoute
+             * * UDPRoute
+             */
+            kind: string;
+            /**
+             * Namespace is the namespace of the referent.
+             *
+             * Support: Core
+             */
+            namespace: string;
+        }
+
+        /**
+         * Spec defines the desired state of ReferenceGrant.
+         */
+        export interface ReferenceGrantSpecPatch {
+            /**
+             * From describes the trusted namespaces and kinds that can reference the
+             * resources described in "To". Each entry in this list MUST be considered
+             * to be an additional place that references can be valid from, or to put
+             * this another way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            from: outputs.gateway.v1beta1.ReferenceGrantSpecFromPatch[];
+            /**
+             * To describes the resources that may be referenced by the resources
+             * described in "From". Each entry in this list MUST be considered to be an
+             * additional place that references can be valid to, or to put this another
+             * way, entries MUST be combined using OR.
+             *
+             * Support: Core
+             */
+            to: outputs.gateway.v1beta1.ReferenceGrantSpecToPatch[];
+        }
+
+        /**
+         * ReferenceGrantTo describes what Kinds are allowed as targets of the
+         * references.
+         */
+        export interface ReferenceGrantSpecTo {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field:
+             *
+             * * Secret when used to permit a SecretObjectReference
+             * * Service when used to permit a BackendObjectReference
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent. When unspecified, this policy
+             * refers to all resources of the specified Group and Kind in the local
+             * namespace.
+             */
+            name: string;
+        }
+
+        /**
+         * ReferenceGrantTo describes what Kinds are allowed as targets of the
+         * references.
+         */
+        export interface ReferenceGrantSpecToPatch {
+            /**
+             * Group is the group of the referent.
+             * When empty, the Kubernetes core API group is inferred.
+             *
+             * Support: Core
+             */
+            group: string;
+            /**
+             * Kind is the kind of the referent. Although implementations may support
+             * additional resources, the following types are part of the "Core"
+             * support level for this field:
+             *
+             * * Secret when used to permit a SecretObjectReference
+             * * Service when used to permit a BackendObjectReference
+             */
+            kind: string;
+            /**
+             * Name is the name of the referent. When unspecified, this policy
+             * refers to all resources of the specified Group and Kind in the local
+             * namespace.
+             */
+            name: string;
+        }
+
+    }
+}
+
+export namespace meta {
+    export namespace v1 {
+        /**
+         * ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.
+         */
+        export interface ListMeta {
+            /**
+             * continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.
+             */
+            continue: string;
+            /**
+             * remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.
+             */
+            remainingItemCount: number;
+            /**
+             * String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion: string;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink: string;
+        }
+
+        /**
+         * ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.
+         */
+        export interface ManagedFieldsEntry {
+            /**
+             * APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.
+             */
+            apiVersion: string;
+            /**
+             * FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"
+             */
+            fieldsType: string;
+            /**
+             * FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+             */
+            fieldsV1: any;
+            /**
+             * Manager is an identifier of the workflow managing these fields.
+             */
+            manager: string;
+            /**
+             * Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.
+             */
+            operation: string;
+            /**
+             * Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.
+             */
+            subresource: string;
+            /**
+             * Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.
+             */
+            time: string;
+        }
+
+        /**
+         * ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.
+         */
+        export interface ManagedFieldsEntryPatch {
+            /**
+             * APIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.
+             */
+            apiVersion: string;
+            /**
+             * FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"
+             */
+            fieldsType: string;
+            /**
+             * FieldsV1 holds the first JSON version format as described in the "FieldsV1" type.
+             */
+            fieldsV1: any;
+            /**
+             * Manager is an identifier of the workflow managing these fields.
+             */
+            manager: string;
+            /**
+             * Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.
+             */
+            operation: string;
+            /**
+             * Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.
+             */
+            subresource: string;
+            /**
+             * Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over.
+             */
+            time: string;
+        }
+
+        /**
+         * ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
+         */
+        export interface ObjectMeta {
+            /**
+             * Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+             */
+            annotations: {[key: string]: string};
+            /**
+             * CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+             *
+             * Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            creationTimestamp: string;
+            /**
+             * Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
+             */
+            deletionGracePeriodSeconds: number;
+            /**
+             * DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+             *
+             * Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            deletionTimestamp: string;
+            /**
+             * Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
+             */
+            finalizers: string[];
+            /**
+             * GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+             *
+             * If this field is specified and the generated name exists, the server will return a 409.
+             *
+             * Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+             */
+            generateName: string;
+            /**
+             * A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
+             */
+            generation: number;
+            /**
+             * Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+             */
+            labels: {[key: string]: string};
+            /**
+             * ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+             */
+            managedFields: outputs.meta.v1.ManagedFieldsEntry[];
+            /**
+             * Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: string;
+            /**
+             * Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+             *
+             * Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+             */
+            namespace: string;
+            /**
+             * List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
+             */
+            ownerReferences: outputs.meta.v1.OwnerReference[];
+            /**
+             * An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+             *
+             * Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion: string;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink: string;
+            /**
+             * UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+             *
+             * Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: string;
+        }
+
+        /**
+         * ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.
+         */
+        export interface ObjectMetaPatch {
+            /**
+             * Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations
+             */
+            annotations: {[key: string]: string};
+            /**
+             * CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
+             *
+             * Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            creationTimestamp: string;
+            /**
+             * Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.
+             */
+            deletionGracePeriodSeconds: number;
+            /**
+             * DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.
+             *
+             * Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+             */
+            deletionTimestamp: string;
+            /**
+             * Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order.  Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.
+             */
+            finalizers: string[];
+            /**
+             * GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.
+             *
+             * If this field is specified and the generated name exists, the server will return a 409.
+             *
+             * Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency
+             */
+            generateName: string;
+            /**
+             * A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.
+             */
+            generation: number;
+            /**
+             * Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
+             */
+            labels: {[key: string]: string};
+            /**
+             * ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.
+             */
+            managedFields: outputs.meta.v1.ManagedFieldsEntryPatch[];
+            /**
+             * Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: string;
+            /**
+             * Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.
+             *
+             * Must be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces
+             */
+            namespace: string;
+            /**
+             * List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
+             */
+            ownerReferences: outputs.meta.v1.OwnerReferencePatch[];
+            /**
+             * An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.
+             *
+             * Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+             */
+            resourceVersion: string;
+            /**
+             * Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.
+             */
+            selfLink: string;
+            /**
+             * UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.
+             *
+             * Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: string;
+        }
+
+        /**
+         * OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.
+         */
+        export interface OwnerReference {
+            /**
+             * API version of the referent.
+             */
+            apiVersion: string;
+            /**
+             * If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.
+             */
+            blockOwnerDeletion: boolean;
+            /**
+             * If true, this reference points to the managing controller.
+             */
+            controller: boolean;
+            /**
+             * Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: string;
+            /**
+             * Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: string;
+            /**
+             * UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: string;
+        }
+
+        /**
+         * OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.
+         */
+        export interface OwnerReferencePatch {
+            /**
+             * API version of the referent.
+             */
+            apiVersion: string;
+            /**
+             * If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.
+             */
+            blockOwnerDeletion: boolean;
+            /**
+             * If true, this reference points to the managing controller.
+             */
+            controller: boolean;
+            /**
+             * Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+             */
+            kind: string;
+            /**
+             * Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+             */
+            name: string;
+            /**
+             * UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+             */
+            uid: string;
+        }
+
+    }
+}
diff --git a/generated/crds/utilities.d.ts b/generated/crds/utilities.d.ts
new file mode 100644
index 0000000..fdd4517
--- /dev/null
+++ b/generated/crds/utilities.d.ts
@@ -0,0 +1,13 @@
+import * as pulumi from "@pulumi/pulumi";
+export declare function getEnv(...vars: string[]): string | undefined;
+export declare function getEnvBoolean(...vars: string[]): boolean | undefined;
+export declare function getEnvNumber(...vars: string[]): number | undefined;
+export declare const getVersion: () => string;
+/** @internal */
+export declare function resourceOptsDefaults(): any;
+/** @internal */
+export declare function lazyLoad(exports: any, props: string[], loadModule: any): void;
+/** @internal */
+export declare function callAsync<T>(tok: string, props: pulumi.Inputs, res?: pulumi.Resource, opts?: {
+    property?: string;
+}): Promise<T>;
diff --git a/generated/crds/utilities.js b/generated/crds/utilities.js
new file mode 100644
index 0000000..2892cf7
--- /dev/null
+++ b/generated/crds/utilities.js
@@ -0,0 +1,91 @@
+"use strict";
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getVersion = void 0;
+exports.getEnv = getEnv;
+exports.getEnvBoolean = getEnvBoolean;
+exports.getEnvNumber = getEnvNumber;
+exports.resourceOptsDefaults = resourceOptsDefaults;
+exports.lazyLoad = lazyLoad;
+exports.callAsync = callAsync;
+const runtime = require("@pulumi/pulumi/runtime");
+function getEnv(...vars) {
+    for (const v of vars) {
+        const value = process.env[v];
+        if (value) {
+            return value;
+        }
+    }
+    return undefined;
+}
+function getEnvBoolean(...vars) {
+    const s = getEnv(...vars);
+    if (s !== undefined) {
+        // NOTE: these values are taken from https://golang.org/src/strconv/atob.go?s=351:391#L1, which is what
+        // Terraform uses internally when parsing boolean values.
+        if (["1", "t", "T", "true", "TRUE", "True"].find(v => v === s) !== undefined) {
+            return true;
+        }
+        if (["0", "f", "F", "false", "FALSE", "False"].find(v => v === s) !== undefined) {
+            return false;
+        }
+    }
+    return undefined;
+}
+function getEnvNumber(...vars) {
+    const s = getEnv(...vars);
+    if (s !== undefined) {
+        const f = parseFloat(s);
+        if (!isNaN(f)) {
+            return f;
+        }
+    }
+    return undefined;
+}
+const getVersion = () => "4.23.0";
+exports.getVersion = getVersion;
+function unusedGetVersion() {
+    let version = require('./package.json').version;
+    // Node allows for the version to be prefixed by a "v", while semver doesn't.
+    // If there is a v, strip it off.
+    if (version.indexOf('v') === 0) {
+        version = version.slice(1);
+    }
+    return version;
+}
+/** @internal */
+function resourceOptsDefaults() {
+    return { version: (0, exports.getVersion)() };
+}
+/** @internal */
+function lazyLoad(exports, props, loadModule) {
+    for (let property of props) {
+        Object.defineProperty(exports, property, {
+            enumerable: true,
+            get: function () {
+                return loadModule()[property];
+            },
+        });
+    }
+}
+/** @internal */
+async function callAsync(tok, props, res, opts) {
+    const o = runtime.call(tok, props, res);
+    const value = await o.promise(true /*withUnknowns*/);
+    const isKnown = await o.isKnown;
+    const isSecret = await o.isSecret;
+    const problem = !isKnown ? "an unknown value"
+        : isSecret ? "a secret value"
+            : undefined;
+    // Ingoring o.resources silently. They are typically non-empty, r.f() calls include r as a dependency.
+    if (problem) {
+        throw new Error(`Plain resource method "${tok}" incorrectly returned ${problem}. ` +
+            "This is an error in the provider, please report this to the provider developer.");
+    }
+    // Extract a single property if requested.
+    if (opts && opts.property) {
+        return value[opts.property];
+    }
+    return value;
+}
diff --git a/generated/crds/utilities.ts b/generated/crds/utilities.ts
new file mode 100644
index 0000000..2e94bdd
--- /dev/null
+++ b/generated/crds/utilities.ts
@@ -0,0 +1,98 @@
+// *** WARNING: this file was generated by crd2pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+
+import * as runtime from "@pulumi/pulumi/runtime";
+import * as pulumi from "@pulumi/pulumi";
+
+export function getEnv(...vars: string[]): string | undefined {
+    for (const v of vars) {
+        const value = process.env[v];
+        if (value) {
+            return value;
+        }
+    }
+    return undefined;
+}
+
+export function getEnvBoolean(...vars: string[]): boolean | undefined {
+    const s = getEnv(...vars);
+    if (s !== undefined) {
+        // NOTE: these values are taken from https://golang.org/src/strconv/atob.go?s=351:391#L1, which is what
+        // Terraform uses internally when parsing boolean values.
+        if (["1", "t", "T", "true", "TRUE", "True"].find(v => v === s) !== undefined) {
+            return true;
+        }
+        if (["0", "f", "F", "false", "FALSE", "False"].find(v => v === s) !== undefined) {
+            return false;
+        }
+    }
+    return undefined;
+}
+
+export function getEnvNumber(...vars: string[]): number | undefined {
+    const s = getEnv(...vars);
+    if (s !== undefined) {
+        const f = parseFloat(s);
+        if (!isNaN(f)) {
+            return f;
+        }
+    }
+    return undefined;
+}
+
+export const getVersion: () => string = () => "4.23.0"
+
+function unusedGetVersion(): string {
+    let version = require('./package.json').version;
+    // Node allows for the version to be prefixed by a "v", while semver doesn't.
+    // If there is a v, strip it off.
+    if (version.indexOf('v') === 0) {
+        version = version.slice(1);
+    }
+    return version;
+}
+
+/** @internal */
+export function resourceOptsDefaults(): any {
+    return { version: getVersion() };
+}
+
+/** @internal */
+export function lazyLoad(exports: any, props: string[], loadModule: any) {
+    for (let property of props) {
+        Object.defineProperty(exports, property, {
+            enumerable: true,
+            get: function() {
+                return loadModule()[property];
+            },
+        });
+    }
+}
+
+/** @internal */
+export async function callAsync<T>(
+    tok: string,
+    props: pulumi.Inputs,
+    res?: pulumi.Resource,
+    opts?: {property?: string},
+): Promise<T> {
+    const o: any = runtime.call<T>(tok, props, res);
+    const value = await o.promise(true /*withUnknowns*/);
+    const isKnown = await o.isKnown;
+    const isSecret = await o.isSecret;
+    const problem: string|undefined =
+        !isKnown ? "an unknown value"
+        : isSecret ? "a secret value"
+        : undefined;
+    // Ingoring o.resources silently. They are typically non-empty, r.f() calls include r as a dependency.
+    if (problem) {
+        throw new Error(`Plain resource method "${tok}" incorrectly returned ${problem}. ` +
+            "This is an error in the provider, please report this to the provider developer.");
+    }
+    // Extract a single property if requested.
+    if (opts && opts.property) {
+        return value[opts.property];
+    }
+    return value;
+}